Overview
overview
10Static
static
10IQHGV07FDy...2).exe
windows7-x64
3IQHGV07FDy...vn.exe
windows7-x64
3Junk)2345.eml.ViR.eml
windows7-x64
5PC Cleaner.exe
windows7-x64
10PC_cleaner...ed.exe
windows7-x64
3PC_cleaner...ed.exe
windows7-x64
3Pizzacrypts.exe
windows7-x64
9Ponmsiyyks.exe
windows7-x64
3Rlesvxamve...on.exe
windows7-x64
SATURN_RANSOM.exe
windows7-x64
10ScreenCapt...er.exe
windows7-x64
1license key.exe
windows7-x64
malware.exe
windows7-x64
8mamba_141.exe_.exe
windows7-x64
1mamba_152.exe_.exe
windows7-x64
5microsoft-cleaned.exe
windows7-x64
3msiexec.exe
windows7-x64
10nc.exe
windows7-x64
1nd2vj1ux.exe
windows7-x64
notes.exe
windows7-x64
nzpuHohZGP...2).exe
windows7-x64
3nzpuHohZGP...sr.exe
windows7-x64
3old_14b68c...0d.exe
windows7-x64
7patched.exe
windows7-x64
9pclock.exe
windows7-x64
7pclock_unpack.exe
windows7-x64
7pitupi20.exe
windows7-x64
10pozhehgxml...co.exe
windows7-x64
7ransom_50....0b.scr
windows7-x64
9ransomware...20.exe
windows7-x64
9safeinf.exe
windows7-x64
7schet1074....16.rtf
windows7-x64
10Analysis
-
max time kernel
299s -
max time network
266s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:36
Behavioral task
behavioral1
Sample
IQHGV07FDyQ5u7bmNAvn (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IQHGV07FDyQ5u7bmNAvn.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Junk)2345.eml.ViR.eml
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
PC Cleaner.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
PC_cleaner-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PC_cleaner_database-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Pizzacrypts.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Ponmsiyyks.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
SATURN_RANSOM.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.MalwareScanner.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
license key.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
malware.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mamba_141.exe_.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
mamba_152.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
microsoft-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
msiexec.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
nc.exe
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
nd2vj1ux.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
notes.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
nzpuHohZGP2RNfMTp0sr (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
nzpuHohZGP2RNfMTp0sr.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
patched.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
pclock.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
pclock_unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
pitupi20.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
pozhehgxmlhobpvwlqco.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
safeinf.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
schet1074.15.03.16.rtf
Resource
win7-20240903-en
General
-
Target
pclock.exe
-
Size
239KB
-
MD5
bb9c3be8f8ee44993bc2ed175abcaf1b
-
SHA1
fee3a493cbfc84799c1e6c2c3b7d84e84433578d
-
SHA256
302b437cf639368e85af4d16b2ba11707f5e94d257e5718be7f913c7162bf954
-
SHA512
c4dddee9db4929ec00d3344ecd748c4cf41a516489f39eac9ffe159dba8058b5d2ac23f47edbdb0cd310793699af3631d6b3577fdba59efe599dfc81d12f6837
-
SSDEEP
3072:3Nkgq5A+T73rKiwT6ChOe97tauWx/7PaoHdWOGNKbZNM4rfnxl1YWOFW+OKd:mR3a6CrXWx/7ao9aKbQ4rycKd
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2036 WinFaxViewer.exe 3060 WinFaxViewer.exe 2444 winhub.exe 2988 winhub.exe -
Loads dropped DLL 7 IoCs
pid Process 1128 pclock.exe 1128 pclock.exe 1128 pclock.exe 1128 pclock.exe 2036 WinFaxViewer.exe 3060 WinFaxViewer.exe 3060 WinFaxViewer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wincl = "C:\\Users\\Public\\WinHub\\winhub.exe" WinFaxViewer.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1688 set thread context of 1128 1688 pclock.exe 30 PID 2036 set thread context of 3060 2036 WinFaxViewer.exe 32 PID 2444 set thread context of 2988 2444 winhub.exe 37 -
resource yara_rule behavioral25/memory/1128-1-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-3-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-7-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-11-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-9-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/3060-47-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/3060-46-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2036-45-0x0000000000280000-0x00000000002C0000-memory.dmp upx behavioral25/memory/1128-41-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/3060-73-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-68-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-77-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-78-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-80-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-82-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/1128-103-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-109-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-110-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral25/memory/2988-117-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pclock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pclock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinFaxViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinFaxViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhub.exe -
Kills process with taskkill 1 IoCs
pid Process 2832 taskkill.exe -
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2832 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1128 pclock.exe 3060 WinFaxViewer.exe 2988 winhub.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1688 wrote to memory of 1128 1688 pclock.exe 30 PID 1128 wrote to memory of 2036 1128 pclock.exe 31 PID 1128 wrote to memory of 2036 1128 pclock.exe 31 PID 1128 wrote to memory of 2036 1128 pclock.exe 31 PID 1128 wrote to memory of 2036 1128 pclock.exe 31 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 2036 wrote to memory of 3060 2036 WinFaxViewer.exe 32 PID 3060 wrote to memory of 2832 3060 WinFaxViewer.exe 33 PID 3060 wrote to memory of 2832 3060 WinFaxViewer.exe 33 PID 3060 wrote to memory of 2832 3060 WinFaxViewer.exe 33 PID 3060 wrote to memory of 2832 3060 WinFaxViewer.exe 33 PID 3060 wrote to memory of 2444 3060 WinFaxViewer.exe 36 PID 3060 wrote to memory of 2444 3060 WinFaxViewer.exe 36 PID 3060 wrote to memory of 2444 3060 WinFaxViewer.exe 36 PID 3060 wrote to memory of 2444 3060 WinFaxViewer.exe 36 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37 PID 2444 wrote to memory of 2988 2444 winhub.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\pclock.exe"C:\Users\Admin\AppData\Local\Temp\pclock.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\pclock.exe"C:\Users\Admin\AppData\Local\Temp\pclock.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe"C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe"C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM criminal_case_against_you.scr5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Users\Public\WinHub\winhub.exe"C:\Users\Public\WinHub\winhub.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Public\WinHub\winhub.exe"C:\Users\Public\WinHub\winhub.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5bb9c3be8f8ee44993bc2ed175abcaf1b
SHA1fee3a493cbfc84799c1e6c2c3b7d84e84433578d
SHA256302b437cf639368e85af4d16b2ba11707f5e94d257e5718be7f913c7162bf954
SHA512c4dddee9db4929ec00d3344ecd748c4cf41a516489f39eac9ffe159dba8058b5d2ac23f47edbdb0cd310793699af3631d6b3577fdba59efe599dfc81d12f6837