Overview
overview
10Static
static
3cerber.exe
windows10-2004-x64
10cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows10-2004-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows10-2004-x64
3svchost.exe
windows10-2004-x64
7Ransomware...oad.sh
windows10-2004-x64
3Ransomware...est.py
windows10-2004-x64
3Ransomware...st2.py
windows10-2004-x64
3Ransomware...rna.py
windows10-2004-x64
3Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 15:25
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20231130-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win10v2004-20231127-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral11
Sample
Ransomware-master/etc/load.sh
Resource
win10v2004-20231127-en
Behavioral task
behavioral12
Sample
Ransomware-master/test.py
Resource
win10v2004-20231127-en
Behavioral task
behavioral13
Sample
Ransomware-master/test2.py
Resource
win10v2004-20231130-en
Behavioral task
behavioral14
Sample
Ransomware-master/warna.py
Resource
win10v2004-20231130-en
General
-
Target
svchost.exe
-
Size
704KB
-
MD5
d2ec63b63e88ece47fbaab1ca22da1ef
-
SHA1
dd52fcc042a44a2af9e43c15a8e520b54128cdc8
-
SHA256
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
-
SHA512
89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
-
SSDEEP
12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk svchost.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1656 svchost.exe Token: 33 1656 svchost.exe Token: SeIncBasePriorityPrivilege 1656 svchost.exe