Overview

overview

10

Static

static

33223ddfd3...le.exe

windows7_x64

10

33223ddfd3...le.exe

windows10_x64

10

Analysis

  • max time kernel
    14s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33223ddfd3805727e70265d1b9ad22207a5667c6e38b802a140d979927e66ed0.sample.exe

  • Size

    203KB

  • MD5

    3cd4ec69277564714e1821c979939412

  • SHA1

    67872dfa3607aca69aa0307af8c13bc86c2a02c6

  • SHA256

    33223ddfd3805727e70265d1b9ad22207a5667c6e38b802a140d979927e66ed0

  • SHA512

    ab0a9da426e92ff7b43d999ba787c866207b2731853ab7873a3772e0f8e53087ce578de7316589f36009cee757db51eeca1453e4d4f99a4e0813eb33ed0d361b

Score
10/10
dmalockerpersistenceransomware

Malware Config

Extracted

Path

C:\ProgramData\cryptinfo.txt

Ransom Note
Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 4 BTC (1072 GBP) in Bitcoin currency in order to receive a decryption key. In order to purchase Bitcions you can use https://coincafe.com/signup.php After buying BTC send the equivalent of 4 BTC (1072 GBP) to our BTC adress: 1NaRMgB35pGH3hpoYYCUm4cKatA36pxtxs After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK 57:29:79:75:80:37:51:32 Our e-mail: [email protected] ATTENTION! To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger than 1MB! ATTENTION! Even if your antivirus has removed our program, your data may be still recovered!
Wallets

1NaRMgB35pGH3hpoYYCUm4cKatA36pxtxs

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

    ransomwaredmalocker
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33223ddfd3805727e70265d1b9ad22207a5667c6e38b802a140d979927e66ed0.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\33223ddfd3805727e70265d1b9ad22207a5667c6e38b802a140d979927e66ed0.sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\ProgramData\svchosd.exe
      "C:\ProgramData\svchosd.exe"
      2⤵
        PID:2988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2988-114-0x0000000000000000-mapping.dmp
      Download