Overview

overview

10

Static

static

b7eeb0746b...le.exe

windows7_x64

10

b7eeb0746b...le.exe

windows10_x64

10

Analysis

  • max time kernel
    164s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe

  • Size

    363KB

  • MD5

    28b44669d6e7bc7ede7f5586a938b1cb

  • SHA1

    8b5afcc257edb2e585fbe5ae9174921bbe51cffd

  • SHA256

    b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c

  • SHA512

    131d4a2baa13e38c3351a49aa3e4630a2766d16333e35b7e6eaf004f3ba46830765af505c5334e7df35e9aaf32bcb917018ea7b6e83f787ce432fe89969f86bd

Score
10/10
dmalockerpersistenceransomware

Malware Config

Extracted

Path

C:\ProgramData\cryptinfo.txt

Ransom Note
Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 1072 GBP in Bitcoin currency in order to receive a decryption key. In order to purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 1072 GBP to our BTC adress: 166vHLnGB1pCQGxdBkRiMkHW5WGQDbsw6s After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK 43:41:90:35:25:13:61:92 Our e-mail: team4004@gmx.com ATTENTION! To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger than 1MB! ATTENTION! Even if your antivirus has removed our program, your data may be still recovered!
Emails

team4004@gmx.com

Wallets

166vHLnGB1pCQGxdBkRiMkHW5WGQDbsw6s

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

    ransomwaredmalocker
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\ProgramData\svchosd.exe
      "C:\ProgramData\svchosd.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cryptinfo.txt
    MD5

    7cd3fa62bc4d420ef80c100abbda40b6

    SHA1

    88379ceaa920eecd59bfe96e1a54066f23505822

    SHA256

    361962675202c6a8f6cfdc6bd5d12d8ba2f03dbb46cfe27449f7f83f9ead81f7

    SHA512

    2e4fa81f114020fa49a361b95d535f90fd613ef1c54d9f9a6221c694b3194b9b944ea685690aca9607b995abe3527685cb75db61ef962a17b63ed80593b6d048

    Download Submit
  • memory/1304-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-60-0x00000000754F1000-0x00000000754F3000-memory.dmp
    Filesize

    8KB

    Download