Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
elast.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
elast.exe
Resource
win10v2004-20220414-en
General
-
Target
elast.exe
-
Size
79KB
-
MD5
344d23c036cf33a82cf9a454a90ff274
-
SHA1
2a650979c1272dd52a3f4374e722f7a1acc72b06
-
SHA256
d57f4a81dcbfd938b8beca24957ea0854a0fe93dcea5d0f24e94412d485de00c
-
SHA512
68bcabcc53239d6a64da60b7d25456a766bcd138c06499dcb8d6295f6b26ebdd1fadad533319b7a812c7dace4108bc82367fe685c6ba547670fb75310832a8b8
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
elast.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnlockPop.png => C:\Users\Admin\Pictures\UnlockPop.png.REDTM elast.exe File renamed C:\Users\Admin\Pictures\WriteConvertFrom.raw => C:\Users\Admin\Pictures\WriteConvertFrom.raw.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\WriteConvertFrom.raw.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\InvokeClear.crw.REDTM elast.exe File renamed C:\Users\Admin\Pictures\ResolveConvertFrom.tiff => C:\Users\Admin\Pictures\ResolveConvertFrom.tiff.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\SelectAdd.png.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\UnlockPop.png.REDTM elast.exe File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff elast.exe File renamed C:\Users\Admin\Pictures\InvokeClear.crw => C:\Users\Admin\Pictures\InvokeClear.crw.REDTM elast.exe File renamed C:\Users\Admin\Pictures\SelectAdd.png => C:\Users\Admin\Pictures\SelectAdd.png.REDTM elast.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
elast.exedescription ioc process File opened (read-only) \??\B: elast.exe File opened (read-only) \??\R: elast.exe File opened (read-only) \??\Y: elast.exe File opened (read-only) \??\O: elast.exe File opened (read-only) \??\H: elast.exe File opened (read-only) \??\K: elast.exe File opened (read-only) \??\L: elast.exe File opened (read-only) \??\N: elast.exe File opened (read-only) \??\Q: elast.exe File opened (read-only) \??\E: elast.exe File opened (read-only) \??\T: elast.exe File opened (read-only) \??\I: elast.exe File opened (read-only) \??\F: elast.exe File opened (read-only) \??\J: elast.exe File opened (read-only) \??\W: elast.exe File opened (read-only) \??\U: elast.exe File opened (read-only) \??\P: elast.exe File opened (read-only) \??\S: elast.exe File opened (read-only) \??\G: elast.exe File opened (read-only) \??\M: elast.exe File opened (read-only) \??\A: elast.exe File opened (read-only) \??\Z: elast.exe File opened (read-only) \??\X: elast.exe File opened (read-only) \??\V: elast.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1532 vssadmin.exe 2012 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
elast.exepid process 2004 elast.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1396 vssvc.exe Token: SeRestorePrivilege 1396 vssvc.exe Token: SeAuditPrivilege 1396 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
elast.execmd.execmd.exedescription pid process target process PID 2004 wrote to memory of 1620 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1620 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1620 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1620 2004 elast.exe cmd.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 2004 wrote to memory of 1148 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1148 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1148 2004 elast.exe cmd.exe PID 2004 wrote to memory of 1148 2004 elast.exe cmd.exe PID 1148 wrote to memory of 2012 1148 cmd.exe vssadmin.exe PID 1148 wrote to memory of 2012 1148 cmd.exe vssadmin.exe PID 1148 wrote to memory of 2012 1148 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\elast.exe"C:\Users\Admin\AppData\Local\Temp\elast.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-57-0x0000000000000000-mapping.dmp
-
memory/1532-56-0x0000000000000000-mapping.dmp
-
memory/1620-55-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/2012-58-0x0000000000000000-mapping.dmp