Overview

overview

10

Static

static

10

Log4J Malw...26f.7z

windows7_x64

3

Log4J Malw...26f.7z

windows10-2004_x64

3

90ee1a8e8f...c7d26f

linux_amd64

6e25ad0310...8b.elf

linux_amd64

7e9663f872...512.sh

linux_amd64

7e9663f872...512.sh

linux_armhf

7e9663f872...512.sh

linux_mips

7e9663f872...512.sh

linux_mipsel

10fad59b07...2b4513

linux_amd64

10fad59b07...2b4513

linux_armhf

10fad59b07...2b4513

linux_mips

10fad59b07...2b4513

linux_mipsel

3f6120ca0f...d26.sh

windows7_x64

3

3f6120ca0f...d26.sh

windows10-2004_x64

3

776c341504...abcc00

linux_amd64

15e7942ebf...79b36b

linux_mips

e7c5b3de93...cc0e82

linux_amd64

Analysis

  • max time kernel
    49s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13/05/2022, 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Log4J Malware/Elknot/90ee1a8e8f0ea5085b83b8efe174674a93260b599729bf53e1b140e2acc7d26f.7z

  • Size

    362KB

  • MD5

    86a016b9b15f8b409b1b022069c1eb42

  • SHA1

    fbed2f40fac21a2ef654026e37eafb82fb9f4ca5

  • SHA256

    f43aa2f2aad2308deeb2d2f5f01280f1a544412d8805422a7714d9bf758c4fe1

  • SHA512

    49d7c6b2b64903b149c0337a7ee7463a6e6fa8abcf3a6d2c7456f854b5f8b53535280d936a2499d803e1258b25994ed805ae90f197ba18ad81301627c7c26430

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Log4J Malware\Elknot\90ee1a8e8f0ea5085b83b8efe174674a93260b599729bf53e1b140e2acc7d26f.7z"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Log4J Malware\Elknot\90ee1a8e8f0ea5085b83b8efe174674a93260b599729bf53e1b140e2acc7d26f.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Log4J Malware\Elknot\90ee1a8e8f0ea5085b83b8efe174674a93260b599729bf53e1b140e2acc7d26f.7z"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1004
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x55c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1004-82-0x0000000075E51000-0x0000000075E53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1580-54-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

    Filesize

    8KB

    Download