Overview

overview

10

Static

static

SecuriteIn...67.exe

windows7_x64

10

SecuriteIn...67.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe

  • Size

    625KB

  • MD5

    1934bc240ae9e8e101490a9dab13c079

  • SHA1

    a0218048aaca34259d0651d911b81f9f12a30326

  • SHA256

    c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3

  • SHA512

    c7f3c47a2be2be14387f762164db8b4d097cddd1f72efa0e81e59379b1e44cb7f71b56c05920ecbadc6662c58d9bb84d2c8dd4ffae9ecbae67bf0d8978a8a5d5

Score
10/10
lockypersistenceransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies service 2 TTPs 6 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies service
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"
      2⤵
      • Deletes itself
      PID:1600
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1580
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {60D0C371-E6AB-4A7F-B238-51082FFFDB7D} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:968
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/316-3-0x000007FEF63C0000-0x000007FEF663A000-memory.dmp

    Filesize

    2.5MB

    Download