Analysis
-
max time kernel
125s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-06-2021 00:40
General
-
Target
FishLocker.exe
-
Size
218KB
-
MD5
85d90010fed526eef947c440629b82dd
-
SHA1
1df270d02c9ea53f180130e7a219b40146cfca10
-
SHA256
117b0078905f0929a5da0b24e20c76bbaa99151f56789c63b4498143c2261926
-
SHA512
1455958c884f15e03531b1e836269fc6b2bab60e1a4b360e1206568ca7aabee0f55599eab4d11889359818c859d8d37d725bd90109165ca7626d045a81e75be7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FishLocker.exe"C:\Users\Admin\AppData\Local\Temp\FishLocker.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1636 -s 9762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-69-0x0000000000000000-mapping.dmp
-
memory/300-70-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmpFilesize
8KB
-
memory/300-71-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/616-68-0x0000000000000000-mapping.dmp
-
memory/1196-67-0x0000000000000000-mapping.dmp
-
memory/1636-59-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/1636-61-0x000000001B310000-0x000000001B312000-memory.dmpFilesize
8KB
-
memory/1636-65-0x000000001B312000-0x000000001B313000-memory.dmpFilesize
4KB
-
memory/1636-66-0x000000001B317000-0x000000001B336000-memory.dmpFilesize
124KB
-
memory/1692-64-0x0000000000000000-mapping.dmp
-
memory/1792-63-0x0000000000000000-mapping.dmp
-
memory/1964-62-0x0000000000000000-mapping.dmp