Analysis
-
max time kernel
256s -
max time network
268s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 11:28
Static task
static1
Behavioral task
behavioral1
Sample
FishLocker.bin.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
FishLocker.bin.exe
-
Size
218KB
-
MD5
85d90010fed526eef947c440629b82dd
-
SHA1
1df270d02c9ea53f180130e7a219b40146cfca10
-
SHA256
117b0078905f0929a5da0b24e20c76bbaa99151f56789c63b4498143c2261926
-
SHA512
1455958c884f15e03531b1e836269fc6b2bab60e1a4b360e1206568ca7aabee0f55599eab4d11889359818c859d8d37d725bd90109165ca7626d045a81e75be7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
FishLocker.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" FishLocker.bin.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 2808 icacls.exe 2988 takeown.exe 1996 icacls.exe 3828 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1996 icacls.exe 3828 takeown.exe 2808 icacls.exe 2988 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3108 3932 WerFault.exe FishLocker.bin.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
FishLocker.bin.exeWerFault.exepid process 3932 FishLocker.bin.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe 3108 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
FishLocker.bin.exetakeown.exetakeown.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3932 FishLocker.bin.exe Token: SeDebugPrivilege 3932 FishLocker.bin.exe Token: SeTakeOwnershipPrivilege 3828 takeown.exe Token: SeTakeOwnershipPrivilege 2988 takeown.exe Token: SeShutdownPrivilege 3108 WerFault.exe Token: SeDebugPrivilege 3108 WerFault.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
FishLocker.bin.execmd.exedescription pid process target process PID 3932 wrote to memory of 2524 3932 FishLocker.bin.exe cmd.exe PID 3932 wrote to memory of 2524 3932 FishLocker.bin.exe cmd.exe PID 2524 wrote to memory of 3828 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 3828 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 2808 2524 cmd.exe icacls.exe PID 2524 wrote to memory of 2808 2524 cmd.exe icacls.exe PID 2524 wrote to memory of 2988 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 2988 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 1996 2524 cmd.exe icacls.exe PID 2524 wrote to memory of 1996 2524 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FishLocker.bin.exe"C:\Users\Admin\AppData\Local\Temp\FishLocker.bin.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3932 -s 12602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1996-124-0x0000000000000000-mapping.dmp
-
memory/2524-117-0x0000000000000000-mapping.dmp
-
memory/2808-121-0x0000000000000000-mapping.dmp
-
memory/2988-123-0x0000000000000000-mapping.dmp
-
memory/3828-118-0x0000000000000000-mapping.dmp
-
memory/3932-119-0x000000001BD12000-0x000000001BD14000-memory.dmpFilesize
8KB
-
memory/3932-120-0x000000001BD14000-0x000000001BD15000-memory.dmpFilesize
4KB
-
memory/3932-114-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/3932-122-0x000000001BD15000-0x000000001BD17000-memory.dmpFilesize
8KB
-
memory/3932-116-0x000000001BD10000-0x000000001BD12000-memory.dmpFilesize
8KB
-
memory/3932-125-0x000000001BD17000-0x000000001BD19000-memory.dmpFilesize
8KB
-
memory/3932-126-0x000000001BD19000-0x000000001BD1F000-memory.dmpFilesize
24KB
-
memory/3932-127-0x0000000000D60000-0x0000000000D64000-memory.dmpFilesize
16KB
-
memory/3932-128-0x0000000000D64000-0x0000000000D67000-memory.dmpFilesize
12KB
-
memory/3932-129-0x0000000000D67000-0x0000000000D6C000-memory.dmpFilesize
20KB