infinitylock | 0d2137d133179a2fbff7bf38a8125d4b74e9615aaa47b5f4a3056eccce7a8f6e

Analysis

max time kernel
101s
max time network
136s
platform
windows7_x64
resource
win7v20210408
submitted
09-05-2021 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321.exe
Size

89KB
MD5

24f89b42a9614bfbdb4c2bf97c0b0257
SHA1

72081b8dafea8abf3cd042d424e9bd751e9e1121
SHA256

0d2137d133179a2fbff7bf38a8125d4b74e9615aaa47b5f4a3056eccce7a8f6e
SHA512

00efae478f575d9c55a225f43002fc28a9c9a4ad6785873f1cfdfe03a84d34a8adc65fb8e41a5c852b7faaf02ec8eb8a7f4d92663aa59d5b9a6a073f1e23817e

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03459_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\DirectDB.dll.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00184_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTINTL.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUISet.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS000C.dll.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00177_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01603_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	321.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	321.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	321.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	321.exe

C:\Users\Admin\AppData\Local\Temp\321.exe
"C:\Users\Admin\AppData\Local\Temp\321.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-60-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1684-62-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1684-63-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/1684-64-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

Filesize
68KB

Download