Analysis
-
max time kernel
103s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 00:40
Static task
static1
Behavioral task
behavioral1
Sample
FishLocker.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FishLocker.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
FishLocker.exe
-
Size
218KB
-
MD5
85d90010fed526eef947c440629b82dd
-
SHA1
1df270d02c9ea53f180130e7a219b40146cfca10
-
SHA256
117b0078905f0929a5da0b24e20c76bbaa99151f56789c63b4498143c2261926
-
SHA512
1455958c884f15e03531b1e836269fc6b2bab60e1a4b360e1206568ca7aabee0f55599eab4d11889359818c859d8d37d725bd90109165ca7626d045a81e75be7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
FishLocker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" FishLocker.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1220 icacls.exe 1868 takeown.exe 2468 icacls.exe 4040 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1868 takeown.exe 2468 icacls.exe 4040 takeown.exe 1220 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
FishLocker.exepid process 900 FishLocker.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FishLocker.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 900 FishLocker.exe Token: SeDebugPrivilege 900 FishLocker.exe Token: SeTakeOwnershipPrivilege 1868 takeown.exe Token: SeTakeOwnershipPrivilege 4040 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
FishLocker.execmd.exedescription pid process target process PID 900 wrote to memory of 3700 900 FishLocker.exe cmd.exe PID 900 wrote to memory of 3700 900 FishLocker.exe cmd.exe PID 3700 wrote to memory of 1868 3700 cmd.exe takeown.exe PID 3700 wrote to memory of 1868 3700 cmd.exe takeown.exe PID 3700 wrote to memory of 2468 3700 cmd.exe icacls.exe PID 3700 wrote to memory of 2468 3700 cmd.exe icacls.exe PID 3700 wrote to memory of 4040 3700 cmd.exe takeown.exe PID 3700 wrote to memory of 4040 3700 cmd.exe takeown.exe PID 3700 wrote to memory of 1220 3700 cmd.exe icacls.exe PID 3700 wrote to memory of 1220 3700 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FishLocker.exe"C:\Users\Admin\AppData\Local\Temp\FishLocker.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-125-0x00000000030A7000-0x00000000030A9000-memory.dmpFilesize
8KB
-
memory/900-116-0x00000000030A0000-0x00000000030A2000-memory.dmpFilesize
8KB
-
memory/900-129-0x0000000001537000-0x000000000153C000-memory.dmpFilesize
20KB
-
memory/900-118-0x00000000030A2000-0x00000000030A4000-memory.dmpFilesize
8KB
-
memory/900-119-0x00000000030A4000-0x00000000030A5000-memory.dmpFilesize
4KB
-
memory/900-128-0x0000000001534000-0x0000000001537000-memory.dmpFilesize
12KB
-
memory/900-127-0x0000000001530000-0x0000000001534000-memory.dmpFilesize
16KB
-
memory/900-122-0x00000000030A5000-0x00000000030A7000-memory.dmpFilesize
8KB
-
memory/900-126-0x00000000030A9000-0x00000000030AF000-memory.dmpFilesize
24KB
-
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/1220-124-0x0000000000000000-mapping.dmp
-
memory/1868-120-0x0000000000000000-mapping.dmp
-
memory/2468-121-0x0000000000000000-mapping.dmp
-
memory/3700-117-0x0000000000000000-mapping.dmp
-
memory/4040-123-0x0000000000000000-mapping.dmp