d57f4a81dcbfd938b8beca24957ea0854a0fe93dcea5d0f24e94412d485de00c

General

Target

elast.exe
Size

79KB
MD5

344d23c036cf33a82cf9a454a90ff274
SHA1

2a650979c1272dd52a3f4374e722f7a1acc72b06
SHA256

d57f4a81dcbfd938b8beca24957ea0854a0fe93dcea5d0f24e94412d485de00c
SHA512

68bcabcc53239d6a64da60b7d25456a766bcd138c06499dcb8d6295f6b26ebdd1fadad533319b7a812c7dace4108bc82367fe685c6ba547670fb75310832a8b8

Score

9^/10

ransomware

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupClose.png.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\SkipConvertFrom.crw => C:\Users\Admin\Pictures\SkipConvertFrom.crw.REDTM	elast.exe
File opened for modification	C:\Users\Admin\Pictures\SkipConvertFrom.crw.REDTM	elast.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectProtect.png.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\WriteRestart.crw => C:\Users\Admin\Pictures\WriteRestart.crw.REDTM	elast.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRestart.crw.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\BackupClose.png => C:\Users\Admin\Pictures\BackupClose.png.REDTM	elast.exe
File opened for modification	C:\Users\Admin\Pictures\DebugProtect.crw.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\ResumeGroup.png => C:\Users\Admin\Pictures\ResumeGroup.png.REDTM	elast.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeGroup.png.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\UnprotectProtect.png => C:\Users\Admin\Pictures\UnprotectProtect.png.REDTM	elast.exe
File renamed	C:\Users\Admin\Pictures\DebugProtect.crw => C:\Users\Admin\Pictures\DebugProtect.crw.REDTM	elast.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	elast.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

Inhibit System Recovery

pid	Process
2424	vssadmin.exe
4440	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	elast.exe
1980	elast.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2520	1980	elast.exe	81
PID 1980 wrote to memory of 2520	1980	elast.exe	81
PID 2520 wrote to memory of 2424	2520	cmd.exe	83
PID 2520 wrote to memory of 2424	2520	cmd.exe	83
PID 1980 wrote to memory of 4548	1980	elast.exe	87
PID 1980 wrote to memory of 4548	1980	elast.exe	87
PID 4548 wrote to memory of 4440	4548	cmd.exe	89
PID 4548 wrote to memory of 4440	4548	cmd.exe	89