Overview
overview
10Static
static
10IQHGV07FDy...2).exe
windows7-x64
3IQHGV07FDy...vn.exe
windows7-x64
3Junk)2345.eml.ViR.eml
windows7-x64
5PC Cleaner.exe
windows7-x64
10PC_cleaner...ed.exe
windows7-x64
3PC_cleaner...ed.exe
windows7-x64
3Pizzacrypts.exe
windows7-x64
9Ponmsiyyks.exe
windows7-x64
3Rlesvxamve...on.exe
windows7-x64
SATURN_RANSOM.exe
windows7-x64
10ScreenCapt...er.exe
windows7-x64
1license key.exe
windows7-x64
malware.exe
windows7-x64
8mamba_141.exe_.exe
windows7-x64
1mamba_152.exe_.exe
windows7-x64
5microsoft-cleaned.exe
windows7-x64
3msiexec.exe
windows7-x64
10nc.exe
windows7-x64
1nd2vj1ux.exe
windows7-x64
notes.exe
windows7-x64
nzpuHohZGP...2).exe
windows7-x64
3nzpuHohZGP...sr.exe
windows7-x64
3old_14b68c...0d.exe
windows7-x64
7patched.exe
windows7-x64
9pclock.exe
windows7-x64
7pclock_unpack.exe
windows7-x64
7pitupi20.exe
windows7-x64
10pozhehgxml...co.exe
windows7-x64
7ransom_50....0b.scr
windows7-x64
9ransomware...20.exe
windows7-x64
9safeinf.exe
windows7-x64
7schet1074....16.rtf
windows7-x64
10Analysis
-
max time kernel
299s -
max time network
290s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:36
Behavioral task
behavioral1
Sample
IQHGV07FDyQ5u7bmNAvn (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IQHGV07FDyQ5u7bmNAvn.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Junk)2345.eml.ViR.eml
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
PC Cleaner.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
PC_cleaner-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PC_cleaner_database-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Pizzacrypts.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Ponmsiyyks.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
SATURN_RANSOM.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.MalwareScanner.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
license key.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
malware.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mamba_141.exe_.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
mamba_152.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
microsoft-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
msiexec.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
nc.exe
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
nd2vj1ux.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
notes.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
nzpuHohZGP2RNfMTp0sr (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
nzpuHohZGP2RNfMTp0sr.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
patched.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
pclock.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
pclock_unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
pitupi20.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
pozhehgxmlhobpvwlqco.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
safeinf.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
schet1074.15.03.16.rtf
Resource
win7-20240903-en
General
-
Target
schet1074.15.03.16.rtf
-
Size
1.1MB
-
MD5
99289be18f8eff90737733fd7e1255c6
-
SHA1
736c1b31cb3735f301d8cd4981c24ad70d017083
-
SHA256
72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9
-
SHA512
351d9ab3c36dccbe591fdd7aa4cfc6e33e82c3a2dc07a829b79a99794b7184811307f749ddba7881eab4ed46660ae6b8214c1c41c974d9f8a3c934a786b0560e
-
SSDEEP
24576:kbKw4bfMpV7ceKPvi14LEt5k/W0DPwCna++V8TQheoP:TwOMAtPq18Et5k+qH+GTQZ
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1680 2948 cmd.exe 30 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1916 2948 cmd.exe 30 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1724 2948 cmd.exe 30 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1752 2948 cmd.exe 30 -
Executes dropped EXE 2 IoCs
pid Process 832 vmsk.exe 2400 vmsk.exe -
Loads dropped DLL 3 IoCs
pid Process 2948 WINWORD.EXE 2948 WINWORD.EXE 832 vmsk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" vmsk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 832 set thread context of 2400 832 vmsk.exe 34 -
resource yara_rule behavioral32/memory/2400-221-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-206-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-208-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-211-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-216-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-222-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-214-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-220-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-225-0x0000000000400000-0x0000000001400000-memory.dmp upx behavioral32/memory/2400-261-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-262-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-263-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-264-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-265-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-266-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-269-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-270-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-271-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-272-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-273-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-274-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-275-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-276-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-277-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-278-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-279-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-280-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-281-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-282-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-283-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-284-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-285-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-286-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-287-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-288-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-289-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-290-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-291-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral32/memory/2400-292-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2948 WINWORD.EXE 1716 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 832 vmsk.exe 2400 vmsk.exe 2400 vmsk.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 832 vmsk.exe 1716 WINWORD.EXE 1716 WINWORD.EXE -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2972 2948 WINWORD.EXE 31 PID 2948 wrote to memory of 2972 2948 WINWORD.EXE 31 PID 2948 wrote to memory of 2972 2948 WINWORD.EXE 31 PID 2948 wrote to memory of 2972 2948 WINWORD.EXE 31 PID 2948 wrote to memory of 832 2948 WINWORD.EXE 33 PID 2948 wrote to memory of 832 2948 WINWORD.EXE 33 PID 2948 wrote to memory of 832 2948 WINWORD.EXE 33 PID 2948 wrote to memory of 832 2948 WINWORD.EXE 33 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 832 wrote to memory of 2400 832 vmsk.exe 34 PID 2948 wrote to memory of 1752 2948 WINWORD.EXE 35 PID 2948 wrote to memory of 1752 2948 WINWORD.EXE 35 PID 2948 wrote to memory of 1752 2948 WINWORD.EXE 35 PID 2948 wrote to memory of 1752 2948 WINWORD.EXE 35 PID 2948 wrote to memory of 1724 2948 WINWORD.EXE 36 PID 2948 wrote to memory of 1724 2948 WINWORD.EXE 36 PID 2948 wrote to memory of 1724 2948 WINWORD.EXE 36 PID 2948 wrote to memory of 1724 2948 WINWORD.EXE 36 PID 2948 wrote to memory of 1916 2948 WINWORD.EXE 37 PID 2948 wrote to memory of 1916 2948 WINWORD.EXE 37 PID 2948 wrote to memory of 1916 2948 WINWORD.EXE 37 PID 2948 wrote to memory of 1916 2948 WINWORD.EXE 37 PID 2948 wrote to memory of 1680 2948 WINWORD.EXE 38 PID 2948 wrote to memory of 1680 2948 WINWORD.EXE 38 PID 2948 wrote to memory of 1680 2948 WINWORD.EXE 38 PID 2948 wrote to memory of 1680 2948 WINWORD.EXE 38 PID 1752 wrote to memory of 1628 1752 cmd.exe 43 PID 1752 wrote to memory of 1628 1752 cmd.exe 43 PID 1752 wrote to memory of 1628 1752 cmd.exe 43 PID 1752 wrote to memory of 1628 1752 cmd.exe 43 PID 1724 wrote to memory of 2144 1724 cmd.exe 44 PID 1724 wrote to memory of 2144 1724 cmd.exe 44 PID 1724 wrote to memory of 2144 1724 cmd.exe 44 PID 1724 wrote to memory of 2144 1724 cmd.exe 44 PID 1916 wrote to memory of 2368 1916 cmd.exe 45 PID 1916 wrote to memory of 2368 1916 cmd.exe 45 PID 1916 wrote to memory of 2368 1916 cmd.exe 45 PID 1916 wrote to memory of 2368 1916 cmd.exe 45 PID 1680 wrote to memory of 1716 1680 cmd.exe 46 PID 1680 wrote to memory of 1716 1680 cmd.exe 46 PID 1680 wrote to memory of 1716 1680 cmd.exe 46 PID 1680 wrote to memory of 1716 1680 cmd.exe 46
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\schet1074.15.03.16.rtf"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\vmsk.exeC:\Users\Admin\AppData\Local\Temp\vmsk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\vmsk.exeC:\Users\Admin\AppData\Local\Temp\vmsk.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F3⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F3⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F3⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\document.doc"2⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.doc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664B
MD5656ddbdc2244cea646b2ca50edf5a7a6
SHA15becebd9bbbd2cd6a339cb54171ec8727c44fadb
SHA2569d5a1b9b2c0645000b91eb6ee7d2791f30afed5a6d2f8924cdd7a54ad1309ff9
SHA51208eee6e31fbfa5055d1b0f9dddd4e0a6c18a17a2c0f0c249594b1fe58184b311b65f2b7e3be25e85496fc44c0102d6e82ca85eab96233c4fc3c54eacbba2ec2f
-
Filesize
43KB
MD52800112cb3c23cf703e8149101f52bea
SHA1364720339e2709be4f272da14fe64836f33c6d57
SHA2561028e211fc2c560e362344c80cbb1611cc5348b6b5c7256776c55405eea7a592
SHA512656dcab7a17225bb8435c39fe30acca33989084ea9b532155c5b742a2c06d80647bd7bff15d4034c57ba9f9a83f7611647ddd73376cf4896f544a58ed812d55f
-
Filesize
28KB
MD540290a636532fa4212d4e9e1496f68b1
SHA15bb0dec8f0b5b2f8f39cbfda2802bca85d23266c
SHA256ae01daa7d73c52f0f4cb19c1eb51b9774f133defcca3aed0a5262c0ee9721418
SHA5129d87973e6271b490044910111274db632b4bec71746707c83eeacf6c18a26fbec36a0cb4b0169dce02c4c028cbcaa458401b656167c688c3c944d9fac4062e6d
-
Filesize
1.1MB
MD564da7cf56dd89ccda3a9b0af28bd46c9
SHA1371f6280be89c91e00244810caf1c0a6d394f5a4
SHA2566f332f27bbf0831acd786596cb3ce1ecccd8e9388bf5cd529e2d24895e23e964
SHA512535e9cfa0636a95f890abf0ec38398724f03137cc651322de4ed54c970a339031a5737ef979fa79d24fffea44caf8fc819fa595977bd9d71e447b26c7d51b070
-
Filesize
892KB
MD5d1217c81cca33f5fcc4bed6cd948a36b
SHA1b1a299b2e29141618fd8ee1eba33f46dcbaa3f0a
SHA256d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e
SHA512bd63a2a187e5fba3691933b3eef02e86a09efd07d18c68dc1e372f9f848655ef4fffd930c5df6cc1f1ec10f66d424595c22866b74aa4d3688998c6c7013b897b