Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 21:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe
-
Size
625KB
-
MD5
1934bc240ae9e8e101490a9dab13c079
-
SHA1
a0218048aaca34259d0651d911b81f9f12a30326
-
SHA256
c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3
-
SHA512
c7f3c47a2be2be14387f762164db8b4d097cddd1f72efa0e81e59379b1e44cb7f71b56c05920ecbadc6662c58d9bb84d2c8dd4ffae9ecbae67bf0d8978a8a5d5
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\RemoveDisconnect.tiff SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe File opened for modification \??\c:\Users\Admin\Pictures\RestoreRevoke.tiff SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe File opened for modification \??\c:\Users\Admin\Pictures\StepJoin.tiff SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1600 cmd.exe -
Modifies service 2 TTPs 6 IoCs
Processes:
vssvc.exeSecuriteInfo.com.FileCryptor.PTG.13500.21467.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp" SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 968 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\WallpaperStyle = "0" SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\TileWallpaper = "0" SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000e963daf3cc197b4c8a1695ffa22c62eec4cb4f2acf76aad5e502dd10184ba088000000000e8000000002000020000000bb648cf0e7487ef84dd1f7c6ec2cbf1977871d15cc9fd01ac951b7749856b0bb90000000fdd2b84e8aece12afa11b90d881a1e9b86770d40d07aa7754151874c94157bf7b7177866db986611a9cb2e65edcd7592543cc2fa0d9bfd26f2511d7c5a88b26eeb7d88fac46e3f9118a2bcb9d907a8114d556f3f3f8d560fa37f9c6f63d280c595722eaccd90518170e70613963e0759fb38a588f8af6faa38087b87d7c1d86c4d2151a6a9157da17dfb9d47a3023e8340000000028d447a6bd3efbaa9268af195c7ce30645080806a10a9d18ea396a798d4a3dd875baf82f8d61e74e8622d74878471123d08cd618c0b04262e28e2f056ab5ed1 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000855fb3834b166c45f5daac5b27558077aabcd20f6c5a7aa6eebf1c9f9f1b74f2000000000e8000000002000020000000bae23ba89b6993f8788059506313cf80878ca5ec4f50c08043da1ec3c658abe920000000fc72d8390d2c6f89aeeb921ab83e945fddde5db3caeec34dac59713bbd05c5e440000000527571854846712b755133d574879cc0cd1c9a694e1787df26e1c84f740f5f657fab47aa87be9b35ebb920be76b14453017555be4489df1c9d59d56a554d65a0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311839210" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BBF084F1-23E2-11EB-9964-C611B4A1F110} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ef8995efb7d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
SecuriteInfo.com.FileCryptor.PTG.13500.21467.exevssvc.exedescription pid process Token: SeDebugPrivilege 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Token: SeTakeOwnershipPrivilege 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Token: SeBackupPrivilege 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Token: SeRestorePrivilege 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe Token: SeBackupPrivilege 1580 vssvc.exe Token: SeRestorePrivilege 1580 vssvc.exe Token: SeAuditPrivilege 1580 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 2036 iexplore.exe 1980 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2036 iexplore.exe 2036 iexplore.exe 1736 IEXPLORE.EXE 1736 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
taskeng.exeSecuriteInfo.com.FileCryptor.PTG.13500.21467.exeiexplore.exedescription pid process target process PID 460 wrote to memory of 968 460 taskeng.exe vssadmin.exe PID 460 wrote to memory of 968 460 taskeng.exe vssadmin.exe PID 460 wrote to memory of 968 460 taskeng.exe vssadmin.exe PID 1080 wrote to memory of 2036 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe iexplore.exe PID 1080 wrote to memory of 2036 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe iexplore.exe PID 1080 wrote to memory of 2036 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe iexplore.exe PID 1080 wrote to memory of 2036 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe iexplore.exe PID 1080 wrote to memory of 1600 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe cmd.exe PID 1080 wrote to memory of 1600 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe cmd.exe PID 1080 wrote to memory of 1600 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe cmd.exe PID 1080 wrote to memory of 1600 1080 SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe cmd.exe PID 2036 wrote to memory of 1736 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1736 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1736 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1736 2036 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"1⤵
- Modifies extensions of user files
- Modifies service
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {60D0C371-E6AB-4A7F-B238-51082FFFDB7D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FAVMOO3S.txtMD5
029967bb8b03c0dad8fb4a84615fa1dc
SHA1c6bcfcfecccda2f9a4dc1b8264e626a8f46ce7ca
SHA256b03ce153ebb46051eebe732a52c6bdb7d41ace34a8f1b55502b2ab4804a7b712
SHA51279fca22662df59a7304af4074eb2987f7d6cd92b01255762b366efd793ed4370952b516c45b878575c9644443018e79716db8f7a2921fa3b377d44ec959f7d13
-
C:\Users\Admin\Desktop\asasin.bmpMD5
a1d31d738d9fe9852cfcea66937b004b
SHA12e1b95ca23971e248d2c482a4197d124f3390429
SHA256b6b92eb62c110b9931ad2fa0d19765bc5dc5e5ac81b037a00f42a11d15550af2
SHA5126cf3d6f41429b60810bbe52d0fd663384f951cf89880a210e5a194903a3b4f85268025de96fb21d694f828038219bd29482ae8da7992c05a549484f85c63e6cf
-
C:\Users\Admin\Desktop\asasin.htmMD5
f0b8461aeecb092966005e0679828595
SHA131d21ccc5386c8453e99485378ffd91051776d7d
SHA256b8d30deca511c1fb19fedb1d76330e0403ee6ed466e6b8897afc3b80974ff848
SHA5126bbe6d87826f612aaef57db4725e9fc5624e58e905b680146aa9cb5acc49c6d0f7eb89a1e25bffd0cc4b1ae6303fc8a513c4f768a238dd33e56356e45e70d941
-
memory/316-3-0x000007FEF63C0000-0x000007FEF663A000-memory.dmpFilesize
2.5MB
-
memory/968-0-0x0000000000000000-mapping.dmp
-
memory/1600-4-0x0000000000000000-mapping.dmp
-
memory/1736-5-0x0000000000000000-mapping.dmp
-
memory/2036-2-0x0000000000000000-mapping.dmp