Overview

overview

10

Static

static

10

IQHGV07FDy...2).exe

windows7-x64

3

IQHGV07FDy...vn.exe

windows7-x64

3

Junk)2345.eml.ViR.eml

windows7-x64

5

PC Cleaner.exe

windows7-x64

10

PC_cleaner...ed.exe

windows7-x64

3

PC_cleaner...ed.exe

windows7-x64

3

Pizzacrypts.exe

windows7-x64

9

Ponmsiyyks.exe

windows7-x64

3

Rlesvxamve...on.exe

windows7-x64

SATURN_RANSOM.exe

windows7-x64

10

ScreenCapt...er.exe

windows7-x64

1

license key.exe

windows7-x64

malware.exe

windows7-x64

8

mamba_141.exe_.exe

windows7-x64

1

mamba_152.exe_.exe

windows7-x64

5

microsoft-cleaned.exe

windows7-x64

3

msiexec.exe

windows7-x64

10

nc.exe

windows7-x64

1

nd2vj1ux.exe

windows7-x64

notes.exe

windows7-x64

nzpuHohZGP...2).exe

windows7-x64

3

nzpuHohZGP...sr.exe

windows7-x64

3

old_14b68c...0d.exe

windows7-x64

7

patched.exe

windows7-x64

9

pclock.exe

windows7-x64

7

pclock_unpack.exe

windows7-x64

7

pitupi20.exe

windows7-x64

10

pozhehgxml...co.exe

windows7-x64

7

ransom_50....0b.scr

windows7-x64

9

ransomware...20.exe

windows7-x64

9

safeinf.exe

windows7-x64

7

schet1074....16.rtf

windows7-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    305s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PC Cleaner.exe

  • Size

    4.4MB

  • MD5

    16a63ddd49552199b3a92b5fe88f804f

  • SHA1

    bb5b1bcecfc8737b3397bc8442a4e483b1df5951

  • SHA256

    b46940adcfefac96db737aa663f44e31e071fb7bffc757f98d811c2d82f1d3b8

  • SHA512

    8ebf6a3ba7c866328ffd8fbd85d1a4946f806cd4a65540e0db389f7f6dadf0666ec8c7980455934234d469c2d8aaf7da7d630bd98640323f717722b62f6176cd

  • SSDEEP

    98304:ywCDueZbuJtHA0QUCb7Yv8b8SIXtiogjiAuC475j:KueA7ZQ9Yv8jdWAS75j

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PC Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\PC Cleaner.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\msiexec.exe
      msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI67E7.tmp
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\msiexec.exe
        msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI67E7.tmp
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Looks for VirtualBox Guest Additions in registry
        • Adds policy Run key to start application
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies Control Panel
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2692
        • C:\Users\Admin\AppData\Local\Temp\tmp901F.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp901F.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Users\Admin\AppData\Local\Temp\tmp901F.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp901F.exe" "C:\Users\Admin\AppData\Local\Temp\msiexec.exe"
            5⤵
            • Executes dropped EXE
            PID:2700
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 127.0.0.1 >> nul
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe"
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            PID:3000
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\5hnR7dhKyh9_Evoj0QwDbaU.dat
    Filesize

    21KB

    MD5

    cd83037df42f614d3899a1eacb4760f5

    SHA1

    5e2417ac504171bf21ddca6a27a1387c2ea83a3f

    SHA256

    32d51ee9fc7b137acbc50975afd05ffae8f8a0cd7cc052452053bde6a5115a78

    SHA512

    748d41d2774ed5834c7c2709d8fe5c79dfc4810874cdb76bf3f58ff929ef6d802f5109ed8104ca8301771951543ac09e4c3198b5906e8b2bc2ebcaa97dd79042

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\UHzAzdBaQuEVjTaXENSnmGnm.dat
    Filesize

    5KB

    MD5

    e15aebc82952f380f59f11f43054f17a

    SHA1

    890c0633927369e62cc49f9b985d630cf93119d0

    SHA256

    7d195775090e4d09d97f3a2d2a6081d35a7c4cfb7adb49ff01c2b03052aa7bdd

    SHA512

    665cbead47454e6f697c929a86838c504fe1e83c885d5a9f33c48306dc489d1f65c44222a66dbc4242bdafc91190a525fe554f06d2b26ed9dc425631cd8f1085

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-3692679935-4019334568-335155002-1000\$ast-S-1-5-21-3692679935-4019334568-335155002-1000\tw5btYTgoTkpZteCA.dat
    Filesize

    130KB

    MD5

    d4f33588f6caa751b2362c6f27ccbb78

    SHA1

    e939be159c4d7fa1ba49615d13117d09fc22cdbc

    SHA256

    c0d65fafc7714bfd2c9942ded8a3ebdb2aa57f3489b54eb8f4e0ca121eedb35b

    SHA512

    24b55012473f1f3eb198605f9b78bc45e4ad1674da20b5b2cdc18e5e9c42556d8ee1fa1f5376a02e78fc93a7150afc7649cdde952f5e1292f42f671adaa583ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp901F.exe
    Filesize

    401KB

    MD5

    8028ee3776ac68bb5789575e5a904465

    SHA1

    d142f9a30280f31b173080388bc04c71b6c45cc6

    SHA256

    f5096a51fdc054c4a217966b22f827a921d50a12436aa995d6f4180bdc4ba420

    SHA512

    33b988d5d80c072a12454a4eb49a70c93ffb3c418ae4a3ef61f1a2d8e81b0ee1e590e176ccb5391e5e7237822f022151fe4a3d7b979d301d7b1c41d5a544118a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnk
    Filesize

    1KB

    MD5

    f2510bcdebffecb50bc3e0f4ca111f03

    SHA1

    85b1aa78da9675bc5cdfb2dfa506f525896d8e66

    SHA256

    2a1a856ec03ab89af185121cd799d44b68514e084a822d0c3423cd3c17039a33

    SHA512

    212679d776362ae284bc8e0bf743fc1ac3611b397a3447427ba5fb7abe7d8be4077a2e69f490d2bd8ea8817ed6ab35182a301c705dbcef63065e930a23ccf207

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\w32tm.exe
    Filesize

    130KB

    MD5

    65ff24f06707a6bc04d634d81de21b62

    SHA1

    9b67ac725f4943bd5efef3a21dac34fde9dea321

    SHA256

    c55c23f45448d73e5095f5678bd45a7993154b8818d5b29a2e02119c7612f3ba

    SHA512

    4d84346035ff5a9e58203a4c2a9499dcb735dba29054e4cd0eb422b695621d3e7f25c45053e2ca02688cc8ba54ddcc1bc03e0c7b54e6f068895d60d1bfd52138

    Download Submit

  • memory/1876-81-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1876-66-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2692-64-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2692-62-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-65-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2700-82-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2700-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-1-0x0000000000240000-0x0000000000276000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2936-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2936-34-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-3-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-6-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-8-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-18-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-10-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2936-5-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download