Overview
overview
10Static
static
6516874.exe
windows7-x64
75479329c03...a2.exe
windows7-x64
1054ab323053...1f.exe
windows7-x64
95600.exe
windows7-x64
656a9736b82...7a.exe
windows7-x64
1059ddf36a9e...ws.dll
windows7-x64
105C53687F73...ViR.js
windows7-x64
35bfae47c9f..._2.dll
windows7-x64
15c6416f819...be.exe
windows7-x64
15f1fcdfb95...1c.exe
windows7-x64
105fc9230812...e9.exe
windows7-x64
961318fa1f1...5F.exe
windows7-x64
761318fa1f1...5B.exe
windows7-x64
76184f1def4...ss.exe
windows7-x64
761bc10e8ed...3e.exe
windows7-x64
76217ea6bb8...f5.apk
windows7-x64
362ebcfeeff...C3.exe
windows7-x64
762ebcfeeff...BB.exe
windows7-x64
7647f242.exe.vir.exe
windows7-x64
964bfea1efc...99.exe
windows7-x64
964f540a7c6...B3.exe
windows7-x64
764f540a7c6...77.exe
windows7-x64
76916a006c4...9a.exe
windows7-x64
769ee634973...df.exe
windows7-x64
6f772eb660...bc.exe
windows7-x64
77077437251...e9.exe
windows7-x64
17175d6bb11...2b.exe
windows7-x64
9728733095f...on.dll
windows7-x64
873c3d88d0d...5F.exe
windows7-x64
773c3d88d0d...BF.exe
windows7-x64
774add6536c...ef.exe
windows7-x64
10757a661bcc...d8.exe
windows7-x64
7Analysis
-
max time kernel
1190s -
max time network
839s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:36
Behavioral task
behavioral1
Sample
516874.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5479329c03e12e27adc81caeefe1a1dc26bf59d4dac36dd2eae008213e8fe0a2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
54ab323053f1138e5ccaa8f8afaa38cabca9491f.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
5600.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa_PonyNews.dll
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
5C53687F7327933R.js.ViR.js
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd_Stealer_2.dll
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
5c6416f819bfbca2f1862691a03f68be.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4_Dumped_TDS=4F8C315F.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4_TDS=4F91F15B.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
6184f1def457c10b2ae10a33b8639c89cb0115061c3d424d330342b44d4179aa_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
61bc10e8ede3997da73b3de9fa57b059e352b592404fb9c171469c4026fdc03e.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
6217ea6bb87295983c4915a4d97c7e4142effef95d1e815693a72ea3a73b45f5.apk
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df_Dumped_TDS=4F854EC3.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df_TDS=4F8644BB.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
647f242.exe.vir.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
64bfea1efccb47a049ba2cb592878e5c415cc70f9488dd97291c1356e3d79299.exe
Resource
win7-20240708-en
Behavioral task
behavioral21
Sample
64f540a7c6ded1c751c9a66629fd2aaa6cdd61749f05c8d0760a1aaeb5548935_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
64f540a7c6ded1c751c9a66629fd2aaa6cdd61749f05c8d0760a1aaeb5548935_TDS=4F9DB277.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
6f772eb660bc05fc26df86c98ca49abc.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
70774372517532ae1dcb97a7133983811d5cc7d2975cd58a1f132f2ef100c5e9.exe
Resource
win7-20240729-en
Behavioral task
behavioral27
Sample
7175d6bb11dea0932bd4b611d0f7221b62a71dbc54607e97ad397f104bcffa2b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
728733095fe2c66f91a19ebde412dd25_70186ceb735016eadd98466e62c03635_TheLastReveton.dll
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960_Dumped_TDS=4F8C315F.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960_TDS=4F8DFBBF.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
74add6536cdcfb8b77d10a1e7be6b9ef.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
757a661bcc68616f99366b10abac92d8.exe
Resource
win7-20240903-en
General
-
Target
74add6536cdcfb8b77d10a1e7be6b9ef.exe
-
Size
229KB
-
MD5
74add6536cdcfb8b77d10a1e7be6b9ef
-
SHA1
b35c295f625ce4203f70106d33ecdfb39be3537b
-
SHA256
f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082
-
SHA512
91c1f048b39bb620e498342a259b8edfdf0655c674870104d5d335d49598aed93b54e1793b80a0b5a3f203c493e07f72601f5174925021c94dee7d9afb78b1d6
-
SSDEEP
6144:t9Kx9J/srIEV00YdR29lGx/adfteNtUlnNCc2HLN:+R29l2QfFfJ2H
Malware Config
Extracted
C:\Users\Admin\Favorites\Microsoft Websites\_DECRYPT_INFO_elzyw.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_elzyw.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Extracted
C:\Users\Admin\Desktop\backup_elzyw\_DECRYPT_INFO_elzyw.html
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
http-equiv='Content-Type
Signatures
-
Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
-
Maktub family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral31/memory/2716-18-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral31/memory/2716-23-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral31/memory/2716-22-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral31/memory/2716-21-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral31/memory/2716-311-0x0000000010000000-0x0000000010022000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74add6536cdcfb8b77d10a1e7be6b9ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 576 vssadmin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2780 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 1900 vssvc.exe Token: SeRestorePrivilege 1900 vssvc.exe Token: SeAuditPrivilege 1900 vssvc.exe Token: SeShutdownPrivilege 2780 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2780 WINWORD.EXE 2780 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2780 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 31 PID 2716 wrote to memory of 2780 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 31 PID 2716 wrote to memory of 2780 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 31 PID 2716 wrote to memory of 2780 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 31 PID 2780 wrote to memory of 1444 2780 WINWORD.EXE 33 PID 2780 wrote to memory of 1444 2780 WINWORD.EXE 33 PID 2780 wrote to memory of 1444 2780 WINWORD.EXE 33 PID 2780 wrote to memory of 1444 2780 WINWORD.EXE 33 PID 2716 wrote to memory of 576 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 34 PID 2716 wrote to memory of 576 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 34 PID 2716 wrote to memory of 576 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 34 PID 2716 wrote to memory of 576 2716 74add6536cdcfb8b77d10a1e7be6b9ef.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.exe"C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\74add6536cdcfb8b77d10a1e7be6b9ef.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1444
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:576
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD513c868e109968d23c72b3e5de04abfa3
SHA1743507da7f922fe061fe0a791b421857fc7c1083
SHA25676957d7a86db61be8f50063b323dfee1c91922f3677456f97ca761007f00b092
SHA5124b218438f4951ba09282b1a6e1b79dc6362836a667dd7539fc4bc0d62b4f4f31ea1005bb20d2195eb77266540a72fba0e052983731f41a607387fe61781e0bcc
-
Filesize
2KB
MD5a945a8899cc5fa3620b89fb23997f887
SHA160dce9277089ceeddb5b1ac4bdbe6b575e7a29bf
SHA2565ac025473de03bba56f3b92496571804a1f7dea2a75005caaa9ddac5dcf91de5
SHA512896d66c2b95c2c2cc85679ef0b1b510b531872079dc7f475d88c65ed48ca3d9299a023e2c1208848ffa52c01dba0103e57bcdb4cfec2c593a3088e0eeef30bed
-
Filesize
19KB
MD5def5ec4c64b3b6c51ceca02b0a2e7a82
SHA1e2ba99dadc38b62442fda548f480b44694b8d426
SHA256a205d15c22258042a3a654b01a6299986a23a38baf96f9b70371828b89915531
SHA5129fe33e31167e5c6fda3d8c5ca55d3c27b1bd14f547f737ab82a5a91a3400dcab287b56e5c9586661da70d70f017b27f0af6bdbb754c95743843dd9d6f7afab2e
-
Filesize
5KB
MD53447c812184ad6059d152379c83373c9
SHA101564265e5125ab4d36d3b4389c788859fafcd93
SHA256c672b9c7472fff2a1702b4a8177cc6f4ee0b9e41d825f26533de7f08dafc85b1
SHA5125fefb3f555249d751be934a5b1115d5476a96fdc2e1c89bb1b8cf31165de832407dcc526c2ddc4ddc89663ae4b29a46aa5827497697952660e14a827a117c794
-
Filesize
5KB
MD5ee869afb1bc5d5c1b0f957f439ad50ac
SHA12ca1d0c98f8ad6cc80a0026dc046f17e183c36fa
SHA2565bfd82880c7be0c39f6c166fcc1813efedd9f213525b344cd3e9c87bdb457745
SHA512bf3a1f77456ef63448dbb59c29de3110bf3ef373dc87c1f44288610a8a5a1f9c2856496ce67309e8e397e0c1556bb7ede3711faa4fdfcd77794f62ad83c42936