Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
18-02-2023 00:48
General
-
Target
EliStarA.exe
-
Size
1.7MB
-
MD5
6b8dcb09a6f8e836b5dcc600d11c6223
-
SHA1
b0a1582b9e9871064afae5cb6b1d369599506763
-
SHA256
11aaa12e58f39f192b4f66e56cd0e343d73b69a48dc77a6dfb936483de120152
-
SHA512
feb8bd04778b29efc9b0128dbfd9562368eb825a560dc610abed6a73de1dc7bd33e5e198b439b36828d0a66d4657e354d4a65646141ad3425bed6fd74cb7fcae
-
SSDEEP
49152:lJCDpfmhr2qIhBCwb8lIgwylCJHXv5y7lE8X:6HB/b8KgZA5E
Score
10/10
Malware Config
Signatures
-
DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 19 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Drops startup file 64 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EliStarA.exe"C:\Users\Admin\AppData\Local\Temp\EliStarA.exe"1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets service image path in registry
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del \\.\C:\con.sys\*.* /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del \\.\C:\con.ini\*.* /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd \\.\C:\con.ini"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd \\.\C:\con.sys"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "del \\.\C:\con.usb\*.* /a /q"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "rd \\.\C:\con.usb"2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMDisplay -F2⤵
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMSync -F2⤵
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe -create -tn Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler -xml plugscheduler.xml -F2⤵
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 4c48dc25-f848-4ead-b5a7-029f3fad883b /RunHandlerComServer1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wuauclt.exe"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 7c797ce7-296a-411b-b0a2-4d5a4376e9db /RunHandlerComServer1⤵
-
C:\Windows\system32\MusNotificationUx.exe%systemroot%\system32\MusNotificationUx.exe QueryNotificationState1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\RUXIM\plugscheduler.xmlFilesize
3KB
MD5159a6525d9aa23a19945f3a8388b0a76
SHA19a0d4e0f5433d0ce7fb9caa6bd83c5fb3ff68207
SHA256581002c8af74d590259b36656023499d2fead6a2fc5632472fd3eef9563cf4d9
SHA512726cc4faa8b0977c22e996d71bab818936c0adfd8fd1ea02dea076f588513a0462388e7d3f51ce4d71cee835cde9366a03ee980d417fbc94182af07569b71538
-
memory/840-136-0x0000000000000000-mapping.dmp
-
memory/1032-152-0x0000000000000000-mapping.dmp
-
memory/1500-149-0x0000000000000000-mapping.dmp
-
memory/1520-153-0x0000000000000000-mapping.dmp
-
memory/1640-158-0x0000000000000000-mapping.dmp
-
memory/1816-145-0x0000000000000000-mapping.dmp
-
memory/2032-148-0x0000000000000000-mapping.dmp
-
memory/2128-157-0x0000000000000000-mapping.dmp
-
memory/2140-133-0x0000000000400000-0x00000000005BF000-memory.dmpFilesize
1.7MB
-
memory/2140-156-0x0000000000400000-0x00000000005BF000-memory.dmpFilesize
1.7MB
-
memory/2140-132-0x0000000000400000-0x00000000005BF000-memory.dmpFilesize
1.7MB
-
memory/2452-155-0x0000000000000000-mapping.dmp
-
memory/2544-150-0x0000000000000000-mapping.dmp
-
memory/3020-138-0x0000000000000000-mapping.dmp
-
memory/3272-139-0x0000000000000000-mapping.dmp
-
memory/3476-141-0x0000000000000000-mapping.dmp
-
memory/3700-135-0x0000000000000000-mapping.dmp
-
memory/3824-146-0x0000000000000000-mapping.dmp
-
memory/3852-137-0x0000000000000000-mapping.dmp
-
memory/4056-143-0x0000000000000000-mapping.dmp
-
memory/4140-154-0x0000000000000000-mapping.dmp
-
memory/4168-134-0x0000000000000000-mapping.dmp
-
memory/4328-144-0x0000000000000000-mapping.dmp
-
memory/4380-140-0x0000000000000000-mapping.dmp
-
memory/4668-159-0x0000000000000000-mapping.dmp
-
memory/4912-147-0x0000000000000000-mapping.dmp
-
memory/4924-151-0x0000000000000000-mapping.dmp
-
memory/4944-142-0x0000000000000000-mapping.dmp