Analysis
-
max time kernel
167s -
max time network
216s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Resource
win7-20220414-en
General
-
Target
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
-
Size
2.3MB
-
MD5
968e9faa49c57145eb9aa1d88147980a
-
SHA1
6f5824fac218092bdd0d2215b9e59615fdb4ddc3
-
SHA256
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109
-
SHA512
9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6
Malware Config
Extracted
cryptbot
vetiir04.top
moriiikk02.top
Signatures
-
CryptBot Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmp family_cryptbot -
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 5 1104 WScript.exe 6 1104 WScript.exe 7 1104 WScript.exe 8 1104 WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
rtoosgw.exepid process 1180 rtoosgw.exe -
Processes:
resource yara_rule behavioral1/memory/1740-55-0x00000000003E0000-0x000000000083E000-memory.dmp vmprotect \Users\Admin\AppData\Local\Temp\rtoosgw.exe vmprotect C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe vmprotect C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe vmprotect behavioral1/memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 556 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exertoosgw.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rtoosgw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rtoosgw.exe -
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rtoosgw.exepid process 1180 rtoosgw.exe 1180 rtoosgw.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.execmd.exedescription pid process target process PID 1740 wrote to memory of 1636 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1636 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1636 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1636 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1636 wrote to memory of 1104 1636 cmd.exe WScript.exe PID 1636 wrote to memory of 1104 1636 cmd.exe WScript.exe PID 1636 wrote to memory of 1104 1636 cmd.exe WScript.exe PID 1636 wrote to memory of 1104 1636 cmd.exe WScript.exe PID 1740 wrote to memory of 556 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 556 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 556 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 556 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 556 wrote to memory of 1180 556 cmd.exe rtoosgw.exe PID 556 wrote to memory of 1180 556 cmd.exe rtoosgw.exe PID 556 wrote to memory of 1180 556 cmd.exe rtoosgw.exe PID 556 wrote to memory of 1180 556 cmd.exe rtoosgw.exe PID 1740 wrote to memory of 1608 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1608 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1608 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1608 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1656 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1656 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1656 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1656 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1000 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1000 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1000 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1740 wrote to memory of 1000 1740 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbs"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe"C:\Users\Admin\AppData\Local\Temp\rtoosgw.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\osiklybdesi.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\poxqvrupu.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gejgyatfln.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bifdxbrtphpd.vbsFilesize
136B
MD5c93f05e278c492af244f83814f839d5e
SHA1a799ded060a3c937e2d868d97eb118c8b9af4ff2
SHA256ba55029f7ade62848768ae6e264f62221646851775f41f70c4cee017d3aca022
SHA51298946891f015981e3c68d31123be6195f655a4f67ad6b0c3bdcfbb7e3a5c2a535bc7446869e752d1403547991328bb746f5a50fa52d165a44be63995e0574827
-
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exeFilesize
1.3MB
MD56f34430da8bf5550b4d894cede4e78e0
SHA19fe5dba145b0f7aa95cfe0076c4bf953398a8d39
SHA2566acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7
SHA5125eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383
-
C:\Users\Admin\AppData\Local\Temp\rtoosgw.exeFilesize
1.3MB
MD56f34430da8bf5550b4d894cede4e78e0
SHA19fe5dba145b0f7aa95cfe0076c4bf953398a8d39
SHA2566acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7
SHA5125eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383
-
\Users\Admin\AppData\Local\Temp\rtoosgw.exeFilesize
1.3MB
MD56f34430da8bf5550b4d894cede4e78e0
SHA19fe5dba145b0f7aa95cfe0076c4bf953398a8d39
SHA2566acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7
SHA5125eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383
-
memory/556-62-0x0000000000000000-mapping.dmp
-
memory/1000-76-0x0000000000000000-mapping.dmp
-
memory/1104-60-0x0000000000000000-mapping.dmp
-
memory/1180-65-0x0000000000000000-mapping.dmp
-
memory/1180-68-0x0000000000A70000-0x0000000000D1C000-memory.dmpFilesize
2.7MB
-
memory/1180-70-0x0000000073F41000-0x0000000073F43000-memory.dmpFilesize
8KB
-
memory/1180-71-0x0000000074411000-0x0000000074413000-memory.dmpFilesize
8KB
-
memory/1608-72-0x0000000000000000-mapping.dmp
-
memory/1636-57-0x0000000000000000-mapping.dmp
-
memory/1656-74-0x0000000000000000-mapping.dmp
-
memory/1740-54-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1740-55-0x00000000003E0000-0x000000000083E000-memory.dmpFilesize
4.4MB