General
-
Target
Cluxy_multitool.exe
-
Size
56.4MB
-
Sample
241017-zx4vvazblk
-
MD5
4a39b0b561dd36d51bf0f92a63ffbfda
-
SHA1
fa12ad3b53f205a38e49967df8954af385c302dc
-
SHA256
e6757b4abdad7234bf572539e215f2689c68e84cff75ac05d9be6e4c48f3c6f8
-
SHA512
b546be3fd2a242b74e9bfa0368271cd9f667594c9a415231638cfc008347ec7ee6279d43f3917490fe43c5ca7e07221471f1d386fe8f604885c3d08ccd387efe
-
SSDEEP
1572864:O+wGIpeQqMrlpA+Ql4cxTivfS4qrBBGcm1:O+wpeyklDxenZynGH1
Static task
static1
Behavioral task
behavioral1
Sample
Cluxy_multitool.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Cluxy_multitool.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
Cluxy_multitool.exe
-
Size
56.4MB
-
MD5
4a39b0b561dd36d51bf0f92a63ffbfda
-
SHA1
fa12ad3b53f205a38e49967df8954af385c302dc
-
SHA256
e6757b4abdad7234bf572539e215f2689c68e84cff75ac05d9be6e4c48f3c6f8
-
SHA512
b546be3fd2a242b74e9bfa0368271cd9f667594c9a415231638cfc008347ec7ee6279d43f3917490fe43c5ca7e07221471f1d386fe8f604885c3d08ccd387efe
-
SSDEEP
1572864:O+wGIpeQqMrlpA+Ql4cxTivfS4qrBBGcm1:O+wpeyklDxenZynGH1
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3