Analysis

  • max time kernel
    150s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:58

General

  • Target

    b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af.sample.exe

  • Size

    216KB

  • MD5

    832814b3212fd82fbced6afd72b4e8dc

  • SHA1

    be3b021f3bd5b86a3d126e1b5d7bde4ccdad6ae5

  • SHA256

    b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af

  • SHA512

    19f8db46f1095516b3300f933c9b4ea7ecc9c671ecb22eae0a6806e18daf7ad19687b610c52822e27144a6b05270e1e333ff74ea0a58175a9b17c85a016b2ff8

Malware Config

Extracted

Path

C:\ProgramData\cryptinfo.txt

Ransom Note
Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 10 BTC (7000 GBP) in Bitcoin currency in order to receive a decryption key. In order to purchase Bitcions you can use https://coincafe.com/signup.php After buying BTC send the equivalent of 10 BTC (7000 GBP) to our BTC adress: 1DtyvLb1pDzXVoaVnJLAFzBJN6b4gcJSdR After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK 31:74:71:30:36:43:72:21 Our e-mail: week4004@fastmail.com ATTENTION! To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger than 1MB! ATTENTION! Even if your antivirus has removed our program, your data may be still recovered!
Emails

week4004@fastmail.com

Wallets

1DtyvLb1pDzXVoaVnJLAFzBJN6b4gcJSdR

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af.sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\ProgramData\svchosd.exe
      "C:\ProgramData\svchosd.exe"
      2⤵
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cryptinfo.txt
    MD5

    5b2ca2ca9798148f3e9898df3ab8e0c2

    SHA1

    f45db5f1a1fe018af724acdc2d4074970711b25f

    SHA256

    1b2dbdefbb1290d34150488318520b0d5b05fa823d8f7553dcf150686fb1d560

    SHA512

    c534a8d8462bd85896b86dd88b91475f053150cc7e27cf0b2be08cdf22e3df7b24a443c1de6efd03bc2d2576cbc09dd7903102105a4c08d7d77e35613e6619d1

  • memory/2544-114-0x0000000000000000-mapping.dmp