Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cerber.exe
windows10-2004-x64
10cryptowall.exe
windows7-x64
9cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows7-x64
10jigsaw.exe
windows10-2004-x64
10Locky.exe
windows7-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows7-x64
1131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows7-x64
7Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows7-x64
10027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows7-x64
10myguy.hta
windows10-2004-x64
10svchost.exe
windows7-x64
7svchost.exe
windows10-2004-x64
7Resubmissions
21-02-2024 14:33
240221-rw8hmsha2y 1021-02-2024 14:31
240221-rvtm4agh7w 1021-02-2024 11:52
240221-n1xedseg6t 10Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cerber.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
cryptowall.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
cryptowall.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
jigsaw.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
jigsaw.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
Locky.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Locky.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral9
Sample
131.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
131.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
myguy.hta
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
myguy.hta
Resource
win10v2004-20240220-en
Behavioral task
behavioral19
Sample
svchost.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
svchost.exe
Resource
win10v2004-20240221-en
General
-
Target
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
-
Size
102KB
-
MD5
1b2d2a4b97c7c2727d571bbf9376f54f
-
SHA1
1fc29938ec5c209ba900247d2919069b320d33b0
-
SHA256
7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
-
SHA512
506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
-
SSDEEP
1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1628 svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2628 fljutmpngs.pre 2032 fljutmpngs.pre -
Loads dropped DLL 3 IoCs
pid Process 1628 svchost.exe 1628 svchost.exe 2628 fljutmpngs.pre -
resource yara_rule behavioral11/memory/1720-2-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-4-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-8-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-11-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-12-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-10-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-13-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/1720-14-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral11/memory/2032-45-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ykmcnbmw = "C:\\Users\\Admin\\AppData\\Roaming\\Npcbwfhml\\iznwsnbmw.exe" ctfmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3012 set thread context of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 2628 set thread context of 2032 2628 fljutmpngs.pre 31 -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 3012 wrote to memory of 1720 3012 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 28 PID 1720 wrote to memory of 1628 1720 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 29 PID 1720 wrote to memory of 1628 1720 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 29 PID 1720 wrote to memory of 1628 1720 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 29 PID 1720 wrote to memory of 1628 1720 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 29 PID 1720 wrote to memory of 1628 1720 Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe 29 PID 1628 wrote to memory of 2628 1628 svchost.exe 30 PID 1628 wrote to memory of 2628 1628 svchost.exe 30 PID 1628 wrote to memory of 2628 1628 svchost.exe 30 PID 1628 wrote to memory of 2628 1628 svchost.exe 30 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2628 wrote to memory of 2032 2628 fljutmpngs.pre 31 PID 2032 wrote to memory of 1568 2032 fljutmpngs.pre 32 PID 2032 wrote to memory of 1568 2032 fljutmpngs.pre 32 PID 2032 wrote to memory of 1568 2032 fljutmpngs.pre 32 PID 2032 wrote to memory of 1568 2032 fljutmpngs.pre 32 PID 2032 wrote to memory of 1568 2032 fljutmpngs.pre 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\fljutmpngs.preC:\Users\Admin\AppData\Local\Temp\fljutmpngs.pre4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\fljutmpngs.preC:\Users\Admin\AppData\Local\Temp\fljutmpngs.pre5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe6⤵
- Adds Run key to start application
PID:1568
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD51b2d2a4b97c7c2727d571bbf9376f54f
SHA11fc29938ec5c209ba900247d2919069b320d33b0
SHA2567634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
SHA512506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0