Overview
overview
10Static
static
10IQHGV07FDy...2).exe
windows7-x64
3IQHGV07FDy...vn.exe
windows7-x64
3Junk)2345.eml.ViR.eml
windows7-x64
5PC Cleaner.exe
windows7-x64
10PC_cleaner...ed.exe
windows7-x64
3PC_cleaner...ed.exe
windows7-x64
3Pizzacrypts.exe
windows7-x64
9Ponmsiyyks.exe
windows7-x64
3Rlesvxamve...on.exe
windows7-x64
SATURN_RANSOM.exe
windows7-x64
10ScreenCapt...er.exe
windows7-x64
1license key.exe
windows7-x64
malware.exe
windows7-x64
8mamba_141.exe_.exe
windows7-x64
1mamba_152.exe_.exe
windows7-x64
5microsoft-cleaned.exe
windows7-x64
3msiexec.exe
windows7-x64
10nc.exe
windows7-x64
1nd2vj1ux.exe
windows7-x64
notes.exe
windows7-x64
nzpuHohZGP...2).exe
windows7-x64
3nzpuHohZGP...sr.exe
windows7-x64
3old_14b68c...0d.exe
windows7-x64
7patched.exe
windows7-x64
9pclock.exe
windows7-x64
7pclock_unpack.exe
windows7-x64
7pitupi20.exe
windows7-x64
10pozhehgxml...co.exe
windows7-x64
7ransom_50....0b.scr
windows7-x64
9ransomware...20.exe
windows7-x64
9safeinf.exe
windows7-x64
7schet1074....16.rtf
windows7-x64
10Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:36
Behavioral task
behavioral1
Sample
IQHGV07FDyQ5u7bmNAvn (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IQHGV07FDyQ5u7bmNAvn.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Junk)2345.eml.ViR.eml
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
PC Cleaner.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
PC_cleaner-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PC_cleaner_database-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
Pizzacrypts.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Ponmsiyyks.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
SATURN_RANSOM.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.MalwareScanner.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
license key.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
malware.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mamba_141.exe_.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
mamba_152.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
microsoft-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
msiexec.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
nc.exe
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
nd2vj1ux.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
notes.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
nzpuHohZGP2RNfMTp0sr (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
nzpuHohZGP2RNfMTp0sr.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
patched.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
pclock.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
pclock_unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
pitupi20.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
pozhehgxmlhobpvwlqco.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
safeinf.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
schet1074.15.03.16.rtf
Resource
win7-20240903-en
General
-
Target
PC Cleaner.exe
-
Size
4.4MB
-
MD5
16a63ddd49552199b3a92b5fe88f804f
-
SHA1
bb5b1bcecfc8737b3397bc8442a4e483b1df5951
-
SHA256
b46940adcfefac96db737aa663f44e31e071fb7bffc757f98d811c2d82f1d3b8
-
SHA512
8ebf6a3ba7c866328ffd8fbd85d1a4946f806cd4a65540e0db389f7f6dadf0666ec8c7980455934234d469c2d8aaf7da7d630bd98640323f717722b62f6176cd
-
SSDEEP
98304:ywCDueZbuJtHA0QUCb7Yv8b8SIXtiogjiAuC475j:KueA7ZQ9Yv8jdWAS75j
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" w32tm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" w32tm.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" w32tm.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools msiexec.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion msiexec.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnk msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 2692 w32tm.exe 1876 tmp901F.exe 3000 w32tm.exe 2700 tmp901F.exe -
Loads dropped DLL 5 IoCs
pid Process 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 636 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" w32tm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\w32tm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" w32tm.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2936 msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2896 set thread context of 2936 2896 msiexec.exe 31 PID 1876 set thread context of 2700 1876 tmp901F.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp901F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PC Cleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2064 PING.EXE 636 cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEUpdate\\w32tm.exe\"" w32tm.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop w32tm.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2064 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2896 msiexec.exe 2896 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 1876 tmp901F.exe 1876 tmp901F.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2692 w32tm.exe 2692 w32tm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2692 w32tm.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2692 w32tm.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 1680 wrote to memory of 2896 1680 PC Cleaner.exe 30 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2896 wrote to memory of 2936 2896 msiexec.exe 31 PID 2936 wrote to memory of 2692 2936 msiexec.exe 32 PID 2936 wrote to memory of 2692 2936 msiexec.exe 32 PID 2936 wrote to memory of 2692 2936 msiexec.exe 32 PID 2936 wrote to memory of 2692 2936 msiexec.exe 32 PID 2936 wrote to memory of 1876 2936 msiexec.exe 33 PID 2936 wrote to memory of 1876 2936 msiexec.exe 33 PID 2936 wrote to memory of 1876 2936 msiexec.exe 33 PID 2936 wrote to memory of 1876 2936 msiexec.exe 33 PID 2936 wrote to memory of 636 2936 msiexec.exe 34 PID 2936 wrote to memory of 636 2936 msiexec.exe 34 PID 2936 wrote to memory of 636 2936 msiexec.exe 34 PID 2936 wrote to memory of 636 2936 msiexec.exe 34 PID 636 wrote to memory of 3000 636 cmd.exe 36 PID 636 wrote to memory of 3000 636 cmd.exe 36 PID 636 wrote to memory of 3000 636 cmd.exe 36 PID 636 wrote to memory of 3000 636 cmd.exe 36 PID 636 wrote to memory of 2064 636 cmd.exe 37 PID 636 wrote to memory of 2064 636 cmd.exe 37 PID 636 wrote to memory of 2064 636 cmd.exe 37 PID 636 wrote to memory of 2064 636 cmd.exe 37 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38 PID 1876 wrote to memory of 2700 1876 tmp901F.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\PC Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\PC Cleaner.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI67E7.tmp2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI67E7.tmp3⤵
- Modifies visiblity of hidden/system files in Explorer
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\tmp901F.exe"C:\Users\Admin\AppData\Local\Temp\tmp901F.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\tmp901F.exe"C:\Users\Admin\AppData\Local\Temp\tmp901F.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"5⤵
- Executes dropped EXE
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 >> nul4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
PID:3000
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\5hnR7dhKyh9_Evoj0QwDbaU.dat
Filesize21KB
MD5cd83037df42f614d3899a1eacb4760f5
SHA15e2417ac504171bf21ddca6a27a1387c2ea83a3f
SHA25632d51ee9fc7b137acbc50975afd05ffae8f8a0cd7cc052452053bde6a5115a78
SHA512748d41d2774ed5834c7c2709d8fe5c79dfc4810874cdb76bf3f58ff929ef6d802f5109ed8104ca8301771951543ac09e4c3198b5906e8b2bc2ebcaa97dd79042
-
C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\UHzAzdBaQuEVjTaXENSnmGnm.dat
Filesize5KB
MD5e15aebc82952f380f59f11f43054f17a
SHA1890c0633927369e62cc49f9b985d630cf93119d0
SHA2567d195775090e4d09d97f3a2d2a6081d35a7c4cfb7adb49ff01c2b03052aa7bdd
SHA512665cbead47454e6f697c929a86838c504fe1e83c885d5a9f33c48306dc489d1f65c44222a66dbc4242bdafc91190a525fe554f06d2b26ed9dc425631cd8f1085
-
C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\tw5btYTgoTkpZteCA.dat
Filesize130KB
MD5d4f33588f6caa751b2362c6f27ccbb78
SHA1e939be159c4d7fa1ba49615d13117d09fc22cdbc
SHA256c0d65fafc7714bfd2c9942ded8a3ebdb2aa57f3489b54eb8f4e0ca121eedb35b
SHA51224b55012473f1f3eb198605f9b78bc45e4ad1674da20b5b2cdc18e5e9c42556d8ee1fa1f5376a02e78fc93a7150afc7649cdde952f5e1292f42f671adaa583ec
-
Filesize
401KB
MD58028ee3776ac68bb5789575e5a904465
SHA1d142f9a30280f31b173080388bc04c71b6c45cc6
SHA256f5096a51fdc054c4a217966b22f827a921d50a12436aa995d6f4180bdc4ba420
SHA51233b988d5d80c072a12454a4eb49a70c93ffb3c418ae4a3ef61f1a2d8e81b0ee1e590e176ccb5391e5e7237822f022151fe4a3d7b979d301d7b1c41d5a544118a
-
Filesize
1KB
MD5f2510bcdebffecb50bc3e0f4ca111f03
SHA185b1aa78da9675bc5cdfb2dfa506f525896d8e66
SHA2562a1a856ec03ab89af185121cd799d44b68514e084a822d0c3423cd3c17039a33
SHA512212679d776362ae284bc8e0bf743fc1ac3611b397a3447427ba5fb7abe7d8be4077a2e69f490d2bd8ea8817ed6ab35182a301c705dbcef63065e930a23ccf207
-
Filesize
130KB
MD565ff24f06707a6bc04d634d81de21b62
SHA19b67ac725f4943bd5efef3a21dac34fde9dea321
SHA256c55c23f45448d73e5095f5678bd45a7993154b8818d5b29a2e02119c7612f3ba
SHA5124d84346035ff5a9e58203a4c2a9499dcb735dba29054e4cd0eb422b695621d3e7f25c45053e2ca02688cc8ba54ddcc1bc03e0c7b54e6f068895d60d1bfd52138