Overview

overview

10

Static

static

SecuriteIn...98.exe

windows7_x64

10

SecuriteIn...98.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileCryptor.PSW.3725.32198.exe

  • Size

    621KB

  • MD5

    35ac4323f2ba28cc314cc9cd8be87326

  • SHA1

    23177683c38774505bbfaaeba9060659d1086d85

  • SHA256

    da0c0089713cfd5b47f425f23c23f9a9d82e62000873747dce1a73220319f93e

  • SHA512

    a0e8acd3850bbae521130dd4bc67692a4fc9b5c2a7d33c4d31666c99347603a301cd24f63c1fa5e4ac63f8e1bda6dbdf048f248ab96f2a7d1d899372846ca8e4

Score
10/10
lockypersistenceransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies service 2 TTPs 6 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PSW.3725.32198.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PSW.3725.32198.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies service
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileCryptor.PSW.3725.32198.exe"
      2⤵
      • Deletes itself
      PID:1680
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A65A6026-F793-4897-A900-B81859CD96C9} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:1296
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NDBWA4DC.txt
    MD5

    dd09a69d7c22f198973435cc215c9289

    SHA1

    78b85c888214bbf53977b73e6915502a0c448210

    SHA256

    c3f89d2ceada2b217978c888d8196fbabe70cdfab2b20153e1ff1e521fffdd35

    SHA512

    cbdd8a1c58d6df2d547330000d5860efc4e437e7d378c62d0dac6bb6157334d51a4f7d5bd1891d69091764d8ba970e360c60f10ed63b59187fc0bee3375f8a15

    Download Submit
  • C:\Users\Admin\Desktop\asasin.bmp
    MD5

    a1d31d738d9fe9852cfcea66937b004b

    SHA1

    2e1b95ca23971e248d2c482a4197d124f3390429

    SHA256

    b6b92eb62c110b9931ad2fa0d19765bc5dc5e5ac81b037a00f42a11d15550af2

    SHA512

    6cf3d6f41429b60810bbe52d0fd663384f951cf89880a210e5a194903a3b4f85268025de96fb21d694f828038219bd29482ae8da7992c05a549484f85c63e6cf

    Download Submit
  • C:\Users\Admin\Desktop\asasin.htm
    MD5

    f0b8461aeecb092966005e0679828595

    SHA1

    31d21ccc5386c8453e99485378ffd91051776d7d

    SHA256

    b8d30deca511c1fb19fedb1d76330e0403ee6ed466e6b8897afc3b80974ff848

    SHA512

    6bbe6d87826f612aaef57db4725e9fc5624e58e905b680146aa9cb5acc49c6d0f7eb89a1e25bffd0cc4b1ae6303fc8a513c4f768a238dd33e56356e45e70d941

    Download Submit
  • memory/1296-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1384-2-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1464-1-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1692-3-0x0000000000000000-mapping.dmp
    Download