Overview

overview

10

Static

static

8

winnt32.exe

windows7_x64

10

winnt32.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26/08/2021, 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winnt32.exe

  • Size

    441KB

  • MD5

    bc0b5052b957c3bedff6bb3cb6e0d646

  • SHA1

    593a2d83afdf8377207af4b1b20573a2aa83b7bf

  • SHA256

    4e33391000cf4732b82569f2ff0196e3cfee10a67b7dcaf52070ac7e2f79826e

  • SHA512

    fc7ea750aa4b886b01aaa41dfacc69ea6082913965af0dff68cdbf4430b79aa584d057369680d3e7ee5f0cb41cd16d50ef6418bcf5ec5adf4c7fb2d7acb6ac20

Score
10/10
evasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\LCRY_README.txt

Ransom Note
YOU ARE NOW VICTIM OF LCRY RANSOMWARE! YOUR FILES ARE ENCRYPTED USING A STRONG ALGORITHM! YOU HAVE NO WAY TO DECRYPT YOUR FILES UNLESS YOU PURCHASE A KEY! DON'T WORRY!THE KEY IS EASY TO PURCHASE IF YOU FOLLOW THE INSTRUCTIONS! 1.REGISTER AN EMAIL ACCOUNT. 2.CONTACT [email protected]! 3.GIVE OUT YOUR MACHINE ID IN [SYSTEMDRIVE]\LCRY_MACHINEID.ID. 4.PURCHASE THE KEY AND REMEMBER IT. 5.OPEN [SYSTEMDRIVE]\LCRY_DECRYPTOR.EXE OR THE EXE OF LCRY RANSOMWARE YOU JUST OPENED. 6.ENTER THE KEY. 7.WAIT FOR YOUR FILES TO BE DECRYPTED. PLEASE FOLLOW THE INSTRUCTIONS OR YOU MUST SAY GOODBYE TO YOUR FILES!

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 35 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\winnt32.exe
    "C:\Users\Admin\AppData\Local\Temp\winnt32.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\system32\winnt32.exe
      "C:\Windows\system32\winnt32.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1764
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\LCRY_README.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1584
      • C:\Windows\system32\winnt32.exe
        "C:\Windows\system32\winnt32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1484
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:380
  • C:\LCRY_DECRYPTOR.exe
    C:\LCRY_DECRYPTOR.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\system32\winnt32.exe
      "C:\Windows\system32\winnt32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/540-60-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

    Filesize

    8KB

    Download