infinitylock | 27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8

Analysis

max time kernel
103s
max time network
137s
platform
windows7_x64
resource
win7v20210408
submitted
09-05-2021 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

89KB
MD5

3822d0484ec81d615a0913c398ad1f83
SHA1

b7bd3e90724189c7316b82a70ce85e0a91855089
SHA256

27a1f89ce5a37815010c8411dddec85d5d66e81a957ad722fbd2dc64f99651c8
SHA512

d103abe81ef9bba19a3f21c8a2742b6a6dad2d147bb440e81b1f17b1d0f67fc3dfa4c33c84ec8b7ca1b107fbd91535ee588d29bded615cff58685eb611665fe8

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupDisconnect.raw.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeMerge.crw.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveResolve.tiff.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Users\Admin\Pictures\RenamePublish.png.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239955.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214934.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00414_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\FOLDER.ICO.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.INF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00779_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285926.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18190_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLADDR.FAE.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MSOSVINT.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01167_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00837_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_F_COL.HXK.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL.72AE87B3B16495880F4D95E8AF378345741E87D481630F5FC5A7BD9AC2B19580	123.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	123.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	123.exe

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1632-62-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1632-63-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1632-64-0x0000000004925000-0x0000000004936000-memory.dmp

Filesize
68KB

Download