Analysis

  • max time kernel
    164s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 12:58

General

  • Target

    b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe

  • Size

    363KB

  • MD5

    28b44669d6e7bc7ede7f5586a938b1cb

  • SHA1

    8b5afcc257edb2e585fbe5ae9174921bbe51cffd

  • SHA256

    b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c

  • SHA512

    131d4a2baa13e38c3351a49aa3e4630a2766d16333e35b7e6eaf004f3ba46830765af505c5334e7df35e9aaf32bcb917018ea7b6e83f787ce432fe89969f86bd

Malware Config

Extracted

Path

C:\ProgramData\cryptinfo.txt

Ransom Note
Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 1072 GBP in Bitcoin currency in order to receive a decryption key. In order to purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 1072 GBP to our BTC adress: 166vHLnGB1pCQGxdBkRiMkHW5WGQDbsw6s After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK 43:41:90:35:25:13:61:92 Our e-mail: team4004@gmx.com ATTENTION! To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger than 1MB! ATTENTION! Even if your antivirus has removed our program, your data may be still recovered!
Emails

team4004@gmx.com

Wallets

166vHLnGB1pCQGxdBkRiMkHW5WGQDbsw6s

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\ProgramData\svchosd.exe
      "C:\ProgramData\svchosd.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cryptinfo.txt
    MD5

    7cd3fa62bc4d420ef80c100abbda40b6

    SHA1

    88379ceaa920eecd59bfe96e1a54066f23505822

    SHA256

    361962675202c6a8f6cfdc6bd5d12d8ba2f03dbb46cfe27449f7f83f9ead81f7

    SHA512

    2e4fa81f114020fa49a361b95d535f90fd613ef1c54d9f9a6221c694b3194b9b944ea685690aca9607b995abe3527685cb75db61ef962a17b63ed80593b6d048

  • memory/1304-61-0x0000000000000000-mapping.dmp
  • memory/1980-60-0x00000000754F1000-0x00000000754F3000-memory.dmp
    Filesize

    8KB