Overview
overview
10Static
static
10IQHGV07FDy...2).exe
windows7-x64
3IQHGV07FDy...vn.exe
windows7-x64
3Junk)2345.eml.ViR.eml
windows7-x64
5PC Cleaner.exe
windows7-x64
10PC_cleaner...ed.exe
windows7-x64
3PC_cleaner...ed.exe
windows7-x64
3Pizzacrypts.exe
windows7-x64
9Ponmsiyyks.exe
windows7-x64
3Rlesvxamve...on.exe
windows7-x64
SATURN_RANSOM.exe
windows7-x64
10ScreenCapt...er.exe
windows7-x64
1license key.exe
windows7-x64
malware.exe
windows7-x64
8mamba_141.exe_.exe
windows7-x64
1mamba_152.exe_.exe
windows7-x64
5microsoft-cleaned.exe
windows7-x64
3msiexec.exe
windows7-x64
10nc.exe
windows7-x64
1nd2vj1ux.exe
windows7-x64
notes.exe
windows7-x64
nzpuHohZGP...2).exe
windows7-x64
3nzpuHohZGP...sr.exe
windows7-x64
3old_14b68c...0d.exe
windows7-x64
7patched.exe
windows7-x64
9pclock.exe
windows7-x64
7pclock_unpack.exe
windows7-x64
7pitupi20.exe
windows7-x64
10pozhehgxml...co.exe
windows7-x64
7ransom_50....0b.scr
windows7-x64
9ransomware...20.exe
windows7-x64
9safeinf.exe
windows7-x64
7schet1074....16.rtf
windows7-x64
10Analysis
-
max time kernel
83s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:36
Behavioral task
behavioral1
Sample
IQHGV07FDyQ5u7bmNAvn (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IQHGV07FDyQ5u7bmNAvn.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Junk)2345.eml.ViR.eml
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
PC Cleaner.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
PC_cleaner-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PC_cleaner_database-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Pizzacrypts.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Ponmsiyyks.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
SATURN_RANSOM.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.MalwareScanner.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
license key.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
malware.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mamba_141.exe_.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
mamba_152.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
microsoft-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
msiexec.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
nc.exe
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
nd2vj1ux.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
notes.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
nzpuHohZGP2RNfMTp0sr (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
nzpuHohZGP2RNfMTp0sr.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
patched.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
pclock.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
pclock_unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
pitupi20.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
pozhehgxmlhobpvwlqco.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
safeinf.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
schet1074.15.03.16.rtf
Resource
win7-20240903-en
General
-
Target
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
-
Size
84KB
-
MD5
fef2837fa1deb4704de03eaa76b62241
-
SHA1
8bb3914b5ae46383f0223ace7a7b3b6de2b6344e
-
SHA256
14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d
-
SHA512
9b7ca59308240a46bc215975c14e508bdc853ab5c7a7bc76a92ef42d1dfce0adec2aa1b51b8f9569590bb110c8f9cb47f2c1c446c4ec6c747dac453a918c78f7
-
SSDEEP
768:DhnciumS4FeU6ggYpFJVuGwv8zE2rCaBE1s6zAKKXb/7BxkxzDNHwP00VPSuilVV:1D5vzuf8qfSpKKXxiha00tSHVOWc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2736 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2088 DirectX.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" DirectX.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" DirectX.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DirectX.exe -
Kills process with taskkill 1 IoCs
pid Process 2856 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2856 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2088 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 30 PID 2548 wrote to memory of 2088 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 30 PID 2548 wrote to memory of 2088 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 30 PID 2548 wrote to memory of 2088 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 30 PID 2548 wrote to memory of 2736 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 31 PID 2548 wrote to memory of 2736 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 31 PID 2548 wrote to memory of 2736 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 31 PID 2548 wrote to memory of 2736 2548 old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe 31 PID 2736 wrote to memory of 2856 2736 cmd.exe 33 PID 2736 wrote to memory of 2856 2736 cmd.exe 33 PID 2736 wrote to memory of 2856 2736 cmd.exe 33 PID 2736 wrote to memory of 2856 2736 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe"C:\Users\Admin\AppData\Local\Temp\old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\DirectX.exe"C:\Users\Admin\AppData\Roaming\DirectX.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\SysWOW64\cmd.execmd /c aaa.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225B
MD5a8600eab4988347fe7a8c7fa8ff529f1
SHA14c8a216635869c87bde910256aa5f7c50fe94e20
SHA2566d510b47afe90b704c3a7c890f835decad84b979f254fda1cbeb7043f831fce5
SHA5125bdb526a25e5319c18f7359f63eaeb31f063802dca19a6a11e4ecf4f56d611077e8e3adf7a2859aa12998567e6ae5d6935de0dad9a987ec6a3d0c23b00644c3c
-
Filesize
84KB
MD5fef2837fa1deb4704de03eaa76b62241
SHA18bb3914b5ae46383f0223ace7a7b3b6de2b6344e
SHA25614b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d
SHA5129b7ca59308240a46bc215975c14e508bdc853ab5c7a7bc76a92ef42d1dfce0adec2aa1b51b8f9569590bb110c8f9cb47f2c1c446c4ec6c747dac453a918c78f7