Analysis
-
max time kernel
163s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Resource
win7-20220414-en
General
-
Target
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
-
Size
2.3MB
-
MD5
968e9faa49c57145eb9aa1d88147980a
-
SHA1
6f5824fac218092bdd0d2215b9e59615fdb4ddc3
-
SHA256
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109
-
SHA512
9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6
Malware Config
Extracted
cryptbot
vetiir04.top
moriiikk02.top
Signatures
-
CryptBot Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmp family_cryptbot -
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 6 4684 WScript.exe 7 4684 WScript.exe 9 4684 WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
mookweyx.exepid process 2772 mookweyx.exe -
Processes:
resource yara_rule behavioral2/memory/1876-130-0x0000000000210000-0x000000000066E000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\mookweyx.exe vmprotect C:\Users\Admin\AppData\Local\Temp\mookweyx.exe vmprotect behavioral2/memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exemookweyx.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mookweyx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mookweyx.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
mookweyx.exepid process 2772 mookweyx.exe 2772 mookweyx.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.execmd.exedescription pid process target process PID 1876 wrote to memory of 3644 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3644 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3644 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3756 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3756 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3756 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 3756 wrote to memory of 2772 3756 cmd.exe mookweyx.exe PID 3756 wrote to memory of 2772 3756 cmd.exe mookweyx.exe PID 3756 wrote to memory of 2772 3756 cmd.exe mookweyx.exe PID 3644 wrote to memory of 4684 3644 cmd.exe WScript.exe PID 3644 wrote to memory of 4684 3644 cmd.exe WScript.exe PID 3644 wrote to memory of 4684 3644 cmd.exe WScript.exe PID 1876 wrote to memory of 5060 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 5060 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 5060 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 2640 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 2640 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 2640 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3044 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3044 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe PID 1876 wrote to memory of 3044 1876 d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbs"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mookweyx.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mookweyx.exe"C:\Users\Admin\AppData\Local\Temp\mookweyx.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fvnnghnuj.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ttsanyinxu.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mewrnfof.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD554e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5913993507c8ae30d8d97b3d760850141
SHA11fc4f2681d2a6afba07f8127a49efbb49dcf2fc4
SHA256c7f001836bbeece1ecaf438455ba1323fa10db89c5db97c55fa2b4b7bc627052
SHA51265dedf34b7cd8203559803a559b2886d75e2bc92ccccf454408f67dcd6260d6323ab34b6a182b3553b3c2076a6633abbbbd91f78157da1b82f86877b4ad52469
-
C:\Users\Admin\AppData\Local\Temp\mookweyx.exeFilesize
1.3MB
MD56f34430da8bf5550b4d894cede4e78e0
SHA19fe5dba145b0f7aa95cfe0076c4bf953398a8d39
SHA2566acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7
SHA5125eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383
-
C:\Users\Admin\AppData\Local\Temp\mookweyx.exeFilesize
1.3MB
MD56f34430da8bf5550b4d894cede4e78e0
SHA19fe5dba145b0f7aa95cfe0076c4bf953398a8d39
SHA2566acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7
SHA5125eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383
-
C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbsFilesize
139B
MD528e6eb79e07cae5f1ebd46ead32f3b90
SHA1e231976c0fec9e073d06670b1b20d3d7e0c18ff6
SHA2562241fb9ee02d0bdb04df5b0bc4d2e65553823cda99e14cef315bada33ed9b5be
SHA51279f2911c49871e227b2f954c3ea5167ef4498abfde6f020425101042c9017e3f7fccd149660dac9149cd24c103beae59fc9bbcb84548ada5242b08777b7f04e2
-
memory/1876-130-0x0000000000210000-0x000000000066E000-memory.dmpFilesize
4.4MB
-
memory/2640-144-0x0000000000000000-mapping.dmp
-
memory/2772-135-0x0000000000000000-mapping.dmp
-
memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmpFilesize
2.7MB
-
memory/3044-145-0x0000000000000000-mapping.dmp
-
memory/3644-132-0x0000000000000000-mapping.dmp
-
memory/3756-133-0x0000000000000000-mapping.dmp
-
memory/4684-138-0x0000000000000000-mapping.dmp
-
memory/5060-143-0x0000000000000000-mapping.dmp