Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-06-2021 00:09
Static task
static1
Behavioral task
behavioral1
Sample
locker.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
locker.exe
Resource
win10v20210410
General
-
Target
locker.exe
-
Size
448KB
-
MD5
306c47fcb51611bee1ef804c95c7007f
-
SHA1
9cb58078b3fe2119329e482561d0c7cb740e937c
-
SHA256
877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463
-
SHA512
3ca64189450cf3c3e9867d79c66ee428a5b72b1f45c06243a4a6ab64a2dfd8970d19dc1fba6404468650afac5341a0affae61e05de501180ec6ead20c333f720
Malware Config
Extracted
C:\Users\Admin\Desktop\PROTECT_INFO.TXT
http://dqybwoze7ow3xlamurpfppai4pd6lwybwix2nbhyhcnpsuj3yv32mnyd.onion/index.php
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1944 bcdedit.exe 1812 bcdedit.exe -
Processes:
wbadmin.exepid process 1016 wbadmin.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConfirmPop.raw.nermer locker.exe File created C:\Users\Admin\Pictures\EditRedo.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\EditRedo.tif.nermer locker.exe File created C:\Users\Admin\Pictures\ProtectStop.raw.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\ProtectStop.raw.nermer locker.exe File created C:\Users\Admin\Pictures\UnpublishAssert.tif.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\UnpublishAssert.tif.nermer locker.exe File created C:\Users\Admin\Pictures\ConfirmPop.raw.nermer locker.exe File created C:\Users\Admin\Pictures\InitializeApprove.tiff.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\InitializeApprove.tiff.nermer locker.exe File created C:\Users\Admin\Pictures\PopEnable.png.nermer locker.exe File opened for modification C:\Users\Admin\Pictures\PopEnable.png.nermer locker.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exelocker.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\B: locker.exe File opened (read-only) \??\S: locker.exe File opened (read-only) \??\T: locker.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\A: locker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: locker.exe File opened (read-only) \??\I: locker.exe File opened (read-only) \??\K: locker.exe File opened (read-only) \??\L: locker.exe File opened (read-only) \??\R: locker.exe File opened (read-only) \??\U: locker.exe File opened (read-only) \??\X: locker.exe File opened (read-only) \??\Z: locker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\J: locker.exe File opened (read-only) \??\N: locker.exe File opened (read-only) \??\P: locker.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: locker.exe File opened (read-only) \??\V: locker.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: locker.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\Q: locker.exe File opened (read-only) \??\W: locker.exe File opened (read-only) \??\Y: locker.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\E: locker.exe File opened (read-only) \??\M: locker.exe File opened (read-only) \??\O: locker.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1016 vssadmin.exe 1700 vssadmin.exe 1060 vssadmin.exe 1732 vssadmin.exe 1236 vssadmin.exe 768 vssadmin.exe 1544 vssadmin.exe 1524 vssadmin.exe 1740 vssadmin.exe 1632 vssadmin.exe 1968 vssadmin.exe 1456 vssadmin.exe 1468 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1576 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
locker.exepid process 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe 788 locker.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 1260 vssvc.exe Token: SeRestorePrivilege 1260 vssvc.exe Token: SeAuditPrivilege 1260 vssvc.exe Token: SeIncreaseQuotaPrivilege 1896 wmic.exe Token: SeSecurityPrivilege 1896 wmic.exe Token: SeTakeOwnershipPrivilege 1896 wmic.exe Token: SeLoadDriverPrivilege 1896 wmic.exe Token: SeSystemProfilePrivilege 1896 wmic.exe Token: SeSystemtimePrivilege 1896 wmic.exe Token: SeProfSingleProcessPrivilege 1896 wmic.exe Token: SeIncBasePriorityPrivilege 1896 wmic.exe Token: SeCreatePagefilePrivilege 1896 wmic.exe Token: SeBackupPrivilege 1896 wmic.exe Token: SeRestorePrivilege 1896 wmic.exe Token: SeShutdownPrivilege 1896 wmic.exe Token: SeDebugPrivilege 1896 wmic.exe Token: SeSystemEnvironmentPrivilege 1896 wmic.exe Token: SeRemoteShutdownPrivilege 1896 wmic.exe Token: SeUndockPrivilege 1896 wmic.exe Token: SeManageVolumePrivilege 1896 wmic.exe Token: 33 1896 wmic.exe Token: 34 1896 wmic.exe Token: 35 1896 wmic.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
locker.exedescription pid process target process PID 788 wrote to memory of 1236 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1236 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1236 788 locker.exe vssadmin.exe PID 788 wrote to memory of 768 788 locker.exe vssadmin.exe PID 788 wrote to memory of 768 788 locker.exe vssadmin.exe PID 788 wrote to memory of 768 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1544 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1544 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1544 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1632 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1632 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1632 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1524 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1524 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1524 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1016 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1016 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1016 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1968 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1968 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1968 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1700 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1700 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1700 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1456 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1456 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1456 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1468 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1468 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1468 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1060 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1060 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1060 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1732 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1732 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1732 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1740 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1740 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1740 788 locker.exe vssadmin.exe PID 788 wrote to memory of 1944 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1944 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1944 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1812 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1812 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1812 788 locker.exe bcdedit.exe PID 788 wrote to memory of 1016 788 locker.exe wbadmin.exe PID 788 wrote to memory of 1016 788 locker.exe wbadmin.exe PID 788 wrote to memory of 1016 788 locker.exe wbadmin.exe PID 788 wrote to memory of 1896 788 locker.exe wmic.exe PID 788 wrote to memory of 1896 788 locker.exe wmic.exe PID 788 wrote to memory of 1896 788 locker.exe wmic.exe PID 788 wrote to memory of 1448 788 locker.exe cmd.exe PID 788 wrote to memory of 1448 788 locker.exe cmd.exe PID 788 wrote to memory of 1448 788 locker.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
locker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" locker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.exe"C:\Users\Admin\AppData\Local\Temp\locker.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\locker.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PROTECT_INFO.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\PROTECT_INFO.TXTMD5
264097a1bae07723d1b9ab2e57343972
SHA17cd046826c0e59e3f10580210e4e544aec773c67
SHA2567d8ef53f095f2852bca36863c6707c97599125ba170eee156b85a33c984a5bdf
SHA512e88dd27e92934c3125269e93e015f3b27b236f791ee1d94545037e57f83f6afbc7c6ade74bd99a7344b1751e043fd25302e6c00c33a1b8990fecc6e278683162
-
memory/768-62-0x0000000000000000-mapping.dmp
-
memory/788-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB
-
memory/1016-66-0x0000000000000000-mapping.dmp
-
memory/1016-76-0x0000000000000000-mapping.dmp
-
memory/1060-71-0x0000000000000000-mapping.dmp
-
memory/1236-61-0x0000000000000000-mapping.dmp
-
memory/1448-82-0x0000000000000000-mapping.dmp
-
memory/1456-69-0x0000000000000000-mapping.dmp
-
memory/1468-70-0x0000000000000000-mapping.dmp
-
memory/1524-65-0x0000000000000000-mapping.dmp
-
memory/1544-63-0x0000000000000000-mapping.dmp
-
memory/1632-64-0x0000000000000000-mapping.dmp
-
memory/1700-68-0x0000000000000000-mapping.dmp
-
memory/1732-72-0x0000000000000000-mapping.dmp
-
memory/1740-73-0x0000000000000000-mapping.dmp
-
memory/1812-75-0x0000000000000000-mapping.dmp
-
memory/1896-78-0x0000000000000000-mapping.dmp
-
memory/1944-74-0x0000000000000000-mapping.dmp
-
memory/1968-67-0x0000000000000000-mapping.dmp