Overview

overview

10

Static

static

a188e147ba...f4.exe

windows7_x64

10

a188e147ba...f4.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    02-11-2020 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe

Score
10/10
regretlockerpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW TO RESTORE FILES.TXT

Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : [email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT

Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : [email protected] Your hash: 593235305054517A4F44556D5A57356B5054456D615751394D535A706344307 84E5451754E6A45754E7A45754E54456D61325635505441314D55557A4D5468 42517A51794D6B4647526A5642515446444E446B794D6A67304E5546464F546 C424D4545324D3055774E444178517A6B314E6A457A4D4545794D6A4A464F44 4242526A497A51546377526A633352546B7A4D6A6777526A4642516A59774E5 559774E7A41334E6B49304E6B4E4452455531526B4A45515449304D7A6B304D 4545324E5451774F544E444E304A434D54597A4D7A684552446842517A4A434 E6A59314F4451334E6A4E454E7A45794D6A4A474D7A4E434D6A677952545243 52554931516B55354E7A46424D454D34515445304E7A51334E6B45334D544A4 34D7A52424E6B56444D5451784D545A454E6A5A4652546734524467304F5556 424E6B4E434D6A6847516A6C434E6A424652455243516A5245516A457952444 1344E6A633251305A4452444D32525552464E3045354E455245524455304E7A 6846517A4E424F4467324F554E444D44676D64476C745A543077534334674D5 53075494455785579346D64584E7950575A6B59546B324F5749304A6E5A7662 4431444F6C77674D5463754D7A6448596938794E5455754E7A464859676F41

Signatures

  • RegretLocker

    Ransomware first reported on Twitter in October 2020.

    ransomwareregretlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 7811 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1057 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
    "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe"
    1⤵
    • Modifies extensions of user files
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC MINUTE /TN "Mouse Application" /TR "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /SC MINUTE /TN "Mouse Application" /TR "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY DELETE & wbadmin DELETE SYSTEMSTATEBACKUP & bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures & bcdedit.exe / set{ default } recoveryenabled No
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1824
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3097E237-3EC9-4911-BC6C-F18603321BC1} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
      C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
      2⤵
        PID:2756
      • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
        C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
        2⤵
          PID:2800

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1744-9-0x0000000000390000-0x0000000000391000-memory.dmp

        Filesize

        4KB

        Download