Analysis
-
max time kernel
186s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22/06/2022, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe
Resource
win7-20220414-en
General
-
Target
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe
-
Size
1.9MB
-
MD5
2ee3f4df877529652dda4e1216b3948e
-
SHA1
aac8923c22c9cd61afef7f4676e13821cbf7284e
-
SHA256
2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb
-
SHA512
f82af94112c2fcfb9686ae7b19b25dba8d7e46fbd55945f8b91a5863a728fb7153201097b45415db38bad3a4981a5a9f8bfb2886d51cb92c2f4300f7d7a77390
Malware Config
Extracted
cryptbot
deqsp42.top
morvvg04.top
-
payload_url
http://pilqde02.top/download.php?file=lv.exe
Signatures
-
CryptBot Payload 2 IoCs
resource yara_rule behavioral2/memory/4372-147-0x0000000004650000-0x0000000004A83000-memory.dmp family_cryptbot behavioral2/memory/4372-148-0x0000000004650000-0x0000000004A83000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
pid Process 4500 Per.exe.com 4372 Per.exe.com -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Per.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Per.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4432 PING.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4372 Per.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3696 wrote to memory of 4676 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 79 PID 3696 wrote to memory of 4676 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 79 PID 3696 wrote to memory of 4676 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 79 PID 3696 wrote to memory of 4104 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 81 PID 3696 wrote to memory of 4104 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 81 PID 3696 wrote to memory of 4104 3696 2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe 81 PID 4104 wrote to memory of 2360 4104 cmd.exe 83 PID 4104 wrote to memory of 2360 4104 cmd.exe 83 PID 4104 wrote to memory of 2360 4104 cmd.exe 83 PID 2360 wrote to memory of 3712 2360 cmd.exe 84 PID 2360 wrote to memory of 3712 2360 cmd.exe 84 PID 2360 wrote to memory of 3712 2360 cmd.exe 84 PID 2360 wrote to memory of 4500 2360 cmd.exe 85 PID 2360 wrote to memory of 4500 2360 cmd.exe 85 PID 2360 wrote to memory of 4500 2360 cmd.exe 85 PID 2360 wrote to memory of 4432 2360 cmd.exe 86 PID 2360 wrote to memory of 4432 2360 cmd.exe 86 PID 2360 wrote to memory of 4432 2360 cmd.exe 86 PID 4500 wrote to memory of 4372 4500 Per.exe.com 87 PID 4500 wrote to memory of 4372 4500 Per.exe.com 87 PID 4500 wrote to memory of 4372 4500 Per.exe.com 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe"C:\Users\Admin\AppData\Local\Temp\2ee6c1d5b61c10718061d22bfcaf956d3bfdf9dce64b7e7fe026403bb95881eb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Tmqp2⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Ebbene.tif2⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^olbWzuGsDjNJLqKVecIMawnynPQVOOEbgFuctWvIrlmMslNTQrohAawuLanDfKDOHfxyTfQuZqIoCLOheXyLGsXWEqJMbSazHKyeQHZBjwg$" Ricomincia.ppsm4⤵PID:3712
-
-
C:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.comPer.exe.com o4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.comC:\Users\Admin\AppData\Roaming\xWyktprslGXXCcoEzi\Per.exe.com o5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4372
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:4432
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD537d64db57fd752986e622543824e0725
SHA1b60b7fed41991144e1ebad4b39b2412a36fa195c
SHA25636e19eb1e5d62ada20ffe19e391429cba8d8d8dae5049efa0e48e7e542782d78
SHA51274f916e1ff9bce2bb420ab5505d9828e64a3d4e23cb97d3043a7a3378d92ef11e031ed186246135409102d4bdc35929d652e8c30b7445f896cdee7082b058b50
-
Filesize
887KB
MD5bad56ae474914adabb5dc6809e3f5dd1
SHA1cf6165513ed373d5ad5ebeb1cb4ddf417bdc17dd
SHA25602eb64fc3ba40f3774a6fde8c0dcfc50bb9c34d83391f907271fcaff58814223
SHA5126b283363c60d8030a72629e6aa9ba355346e28bf736a10fbd2dc8e9b74ac1ffb45918125cc81e1929a1a8194e298676e614d5661addbab39a3461173b4ba9e81
-
Filesize
598KB
MD51075d9c9ddc5021e95c8f81a8410d29b
SHA15e071d8362ef3d46779d761969e82055385a9ae4
SHA256596b2e47f3cd2b9cb75cf1ed1eeec58f0564eb8c6e8d64cb3610b0ae2d80ec2f
SHA512f611d1ccdb87a12315567e491b59e36127017c92791cd89b77f681d520ce6d6b2972701daea39204e15539b65452c0b5e887af559b683d328e325415327ff993
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
921KB
MD5773ac9dd64caeec02da29baa94ed9d46
SHA17a03637337ef579e1d3c48c451e07fee4b5b40df
SHA256e810ef8c05059226d79d8b780d4aa8e79f37344a82005e5abcaf02ff5b22cdc0
SHA5129247f617380c38a3914c667cf0695a0c6707408184f6bb3a387df55b35cbd7be1e10c6062c62ae0b0ff36d7c3ddf1f7565d8c041aeec34b71898f27aa30d4e73
-
Filesize
598KB
MD51075d9c9ddc5021e95c8f81a8410d29b
SHA15e071d8362ef3d46779d761969e82055385a9ae4
SHA256596b2e47f3cd2b9cb75cf1ed1eeec58f0564eb8c6e8d64cb3610b0ae2d80ec2f
SHA512f611d1ccdb87a12315567e491b59e36127017c92791cd89b77f681d520ce6d6b2972701daea39204e15539b65452c0b5e887af559b683d328e325415327ff993