Overview
overview
10Static
static
10IQHGV07FDy...2).exe
windows7-x64
3IQHGV07FDy...vn.exe
windows7-x64
3Junk)2345.eml.ViR.eml
windows7-x64
5PC Cleaner.exe
windows7-x64
10PC_cleaner...ed.exe
windows7-x64
3PC_cleaner...ed.exe
windows7-x64
3Pizzacrypts.exe
windows7-x64
9Ponmsiyyks.exe
windows7-x64
3Rlesvxamve...on.exe
windows7-x64
SATURN_RANSOM.exe
windows7-x64
10ScreenCapt...er.exe
windows7-x64
1license key.exe
windows7-x64
malware.exe
windows7-x64
8mamba_141.exe_.exe
windows7-x64
1mamba_152.exe_.exe
windows7-x64
5microsoft-cleaned.exe
windows7-x64
3msiexec.exe
windows7-x64
10nc.exe
windows7-x64
1nd2vj1ux.exe
windows7-x64
notes.exe
windows7-x64
nzpuHohZGP...2).exe
windows7-x64
3nzpuHohZGP...sr.exe
windows7-x64
3old_14b68c...0d.exe
windows7-x64
7patched.exe
windows7-x64
9pclock.exe
windows7-x64
7pclock_unpack.exe
windows7-x64
7pitupi20.exe
windows7-x64
10pozhehgxml...co.exe
windows7-x64
7ransom_50....0b.scr
windows7-x64
9ransomware...20.exe
windows7-x64
9safeinf.exe
windows7-x64
7schet1074....16.rtf
windows7-x64
10Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:36
Behavioral task
behavioral1
Sample
IQHGV07FDyQ5u7bmNAvn (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IQHGV07FDyQ5u7bmNAvn.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Junk)2345.eml.ViR.eml
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
PC Cleaner.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
PC_cleaner-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PC_cleaner_database-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Pizzacrypts.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Ponmsiyyks.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
SATURN_RANSOM.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.MalwareScanner.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
license key.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
malware.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mamba_141.exe_.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
mamba_152.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
microsoft-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
msiexec.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
nc.exe
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
nd2vj1ux.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
notes.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
nzpuHohZGP2RNfMTp0sr (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
nzpuHohZGP2RNfMTp0sr.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
patched.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
pclock.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
pclock_unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
pitupi20.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
pozhehgxmlhobpvwlqco.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
safeinf.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
schet1074.15.03.16.rtf
Resource
win7-20240903-en
General
-
Target
malware.exe
-
Size
53KB
-
MD5
87ccd6f4ec0e6b706d65550f90b0e3c7
-
SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f
-
SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
-
SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
SSDEEP
768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Malware Config
Signatures
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" malware.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" malware.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" malware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" malware.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." malware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" malware.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\Web malware.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malware.exe -
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperOriginY = "187" malware.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\MenuShowDelay = "9999" malware.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International malware.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" malware.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop malware.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperOriginX = "210" malware.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main malware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" malware.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main malware.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" malware.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/" malware.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" malware.exe -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND malware.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemtimePrivilege 2404 malware.exe Token: SeSystemtimePrivilege 2404 malware.exe Token: SeSystemtimePrivilege 2404 malware.exe -
System policy modification 1 TTPs 37 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" malware.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" malware.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" malware.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" malware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" malware.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware.exe"C:\Users\Admin\AppData\Local\Temp\malware.exe"1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2404