Overview

overview

10

Static

static

SecuriteIn...67.exe

windows7_x64

10

SecuriteIn...67.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe

  • Size

    625KB

  • MD5

    1934bc240ae9e8e101490a9dab13c079

  • SHA1

    a0218048aaca34259d0651d911b81f9f12a30326

  • SHA256

    c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3

  • SHA512

    c7f3c47a2be2be14387f762164db8b4d097cddd1f72efa0e81e59379b1e44cb7f71b56c05920ecbadc6662c58d9bb84d2c8dd4ffae9ecbae67bf0d8978a8a5d5

Score
10/10
lockypersistenceransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies service 2 TTPs 6 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies service
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PTG.13500.21467.exe"
      2⤵
      • Deletes itself
      PID:1600
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1580
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {60D0C371-E6AB-4A7F-B238-51082FFFDB7D} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:968
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FAVMOO3S.txt
    MD5

    029967bb8b03c0dad8fb4a84615fa1dc

    SHA1

    c6bcfcfecccda2f9a4dc1b8264e626a8f46ce7ca

    SHA256

    b03ce153ebb46051eebe732a52c6bdb7d41ace34a8f1b55502b2ab4804a7b712

    SHA512

    79fca22662df59a7304af4074eb2987f7d6cd92b01255762b366efd793ed4370952b516c45b878575c9644443018e79716db8f7a2921fa3b377d44ec959f7d13

    Download Submit
  • C:\Users\Admin\Desktop\asasin.bmp
    MD5

    a1d31d738d9fe9852cfcea66937b004b

    SHA1

    2e1b95ca23971e248d2c482a4197d124f3390429

    SHA256

    b6b92eb62c110b9931ad2fa0d19765bc5dc5e5ac81b037a00f42a11d15550af2

    SHA512

    6cf3d6f41429b60810bbe52d0fd663384f951cf89880a210e5a194903a3b4f85268025de96fb21d694f828038219bd29482ae8da7992c05a549484f85c63e6cf

    Download Submit
  • C:\Users\Admin\Desktop\asasin.htm
    MD5

    f0b8461aeecb092966005e0679828595

    SHA1

    31d21ccc5386c8453e99485378ffd91051776d7d

    SHA256

    b8d30deca511c1fb19fedb1d76330e0403ee6ed466e6b8897afc3b80974ff848

    SHA512

    6bbe6d87826f612aaef57db4725e9fc5624e58e905b680146aa9cb5acc49c6d0f7eb89a1e25bffd0cc4b1ae6303fc8a513c4f768a238dd33e56356e45e70d941

    Download Submit
  • memory/316-3-0x000007FEF63C0000-0x000007FEF663A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/968-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1600-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-5-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-2-0x0000000000000000-mapping.dmp
    Download