dmalocker | ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4

General

Target

SysLogsService.exe
Size

7.7MB
MD5

0b97fa8b682939e55df2bcfe3d17dba5
SHA1

9d0101a59a1f705d55ab5acb0577ea9a967a6bab
SHA256

ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4
SHA512

1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68

Score

10^/10

dmalocker evasion ransomware spyware stealer suricata themida trojan

Malware Config

Signatures

DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
ransomware dmalocker
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
suricata
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
suricata
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
suricata
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

744 bcdedit.exe
64 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2320 wbadmin.exe

pid	process
744	bcdedit.exe
64	bcdedit.exe

pid	process
2320	wbadmin.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SysLogsService.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InitializeOut.png.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\MoveTrace.tif.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeCompare.raw.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\ExportConvert.tiff.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeTrace.raw.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\RevokeCompare.raw.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\SetClear.png.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\SetClear.png.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\WaitFormat.raw.t1000	SysLogsService.exe
File opened for modification	C:\Users\Admin\Pictures\WaitFormat.raw.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\ResizeTrace.raw.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\ExportConvert.tiff.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\InitializeOut.png.t1000	SysLogsService.exe
File created	C:\Users\Admin\Pictures\MoveTrace.tif.t1000	SysLogsService.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SysLogsService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SysLogsService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SysLogsService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2776-115-0x00007FF7DF4C0000-0x00007FF7DFC78000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SysLogsService.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysLogsService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysLogsService.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exeSysLogsService.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\W:	SysLogsService.exe
File opened (read-only)	\??\Q:	SysLogsService.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\A:	SysLogsService.exe
File opened (read-only)	\??\P:	SysLogsService.exe
File opened (read-only)	\??\X:	SysLogsService.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	SysLogsService.exe
File opened (read-only)	\??\M:	SysLogsService.exe
File opened (read-only)	\??\S:	SysLogsService.exe
File opened (read-only)	\??\T:	SysLogsService.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	SysLogsService.exe
File opened (read-only)	\??\L:	SysLogsService.exe
File opened (read-only)	\??\R:	SysLogsService.exe
File opened (read-only)	\??\Z:	SysLogsService.exe
File opened (read-only)	\??\K:	SysLogsService.exe
File opened (read-only)	\??\O:	SysLogsService.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\B:	SysLogsService.exe
File opened (read-only)	\??\G:	SysLogsService.exe
File opened (read-only)	\??\I:	SysLogsService.exe
File opened (read-only)	\??\U:	SysLogsService.exe
File opened (read-only)	\??\Y:	SysLogsService.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\N:	SysLogsService.exe
File opened (read-only)	\??\F:	SysLogsService.exe
File opened (read-only)	\??\J:	SysLogsService.exe
File opened (read-only)	\??\V:	SysLogsService.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SysLogsService.exe

pid process

2776 SysLogsService.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2820	vssadmin.exe
364	vssadmin.exe
360	vssadmin.exe
2360	vssadmin.exe
1400	vssadmin.exe
1060	vssadmin.exe
1872	vssadmin.exe
3548	vssadmin.exe
856	vssadmin.exe
1424	vssadmin.exe
3108	vssadmin.exe
3852	vssadmin.exe
3064	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

SysLogsService.exe

pid	process
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe
2776	SysLogsService.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1576	vssvc.exe
Token: SeRestorePrivilege	1576	vssvc.exe
Token: SeAuditPrivilege	1576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3592	wmic.exe
Token: SeSecurityPrivilege	3592	wmic.exe
Token: SeTakeOwnershipPrivilege	3592	wmic.exe
Token: SeLoadDriverPrivilege	3592	wmic.exe
Token: SeSystemProfilePrivilege	3592	wmic.exe
Token: SeSystemtimePrivilege	3592	wmic.exe
Token: SeProfSingleProcessPrivilege	3592	wmic.exe
Token: SeIncBasePriorityPrivilege	3592	wmic.exe
Token: SeCreatePagefilePrivilege	3592	wmic.exe
Token: SeBackupPrivilege	3592	wmic.exe
Token: SeRestorePrivilege	3592	wmic.exe
Token: SeShutdownPrivilege	3592	wmic.exe
Token: SeDebugPrivilege	3592	wmic.exe
Token: SeSystemEnvironmentPrivilege	3592	wmic.exe
Token: SeRemoteShutdownPrivilege	3592	wmic.exe
Token: SeUndockPrivilege	3592	wmic.exe
Token: SeManageVolumePrivilege	3592	wmic.exe
Token: 33	3592	wmic.exe
Token: 34	3592	wmic.exe
Token: 35	3592	wmic.exe
Token: 36	3592	wmic.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

SysLogsService.exe

description	pid	process	target process
PID 2776 wrote to memory of 856	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 856	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 2820	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 2820	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1424	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1424	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 364	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 364	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3108	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3108	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 360	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 360	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 2360	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 2360	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1400	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1400	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1060	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1060	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1872	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 1872	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3852	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3852	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3064	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3064	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3548	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 3548	2776	SysLogsService.exe	vssadmin.exe
PID 2776 wrote to memory of 744	2776	SysLogsService.exe	bcdedit.exe
PID 2776 wrote to memory of 744	2776	SysLogsService.exe	bcdedit.exe
PID 2776 wrote to memory of 64	2776	SysLogsService.exe	bcdedit.exe
PID 2776 wrote to memory of 64	2776	SysLogsService.exe	bcdedit.exe
PID 2776 wrote to memory of 2320	2776	SysLogsService.exe	wbadmin.exe
PID 2776 wrote to memory of 2320	2776	SysLogsService.exe	wbadmin.exe
PID 2776 wrote to memory of 3592	2776	SysLogsService.exe	wmic.exe
PID 2776 wrote to memory of 3592	2776	SysLogsService.exe	wmic.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

SysLogsService.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	SysLogsService.exe

C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe
"C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"
1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:856

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2820

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1424

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:364

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3108

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:360

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2360

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1400

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1060

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1872

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3852

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3064

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3548

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
2⤵
- Modifies boot configuration data using bcdedit
PID:744

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:64

C:\Windows\SYSTEM32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2320

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-130-0x0000000000000000-mapping.dmp

Download
memory/360-121-0x0000000000000000-mapping.dmp

Download
memory/364-119-0x0000000000000000-mapping.dmp

Download
memory/744-129-0x0000000000000000-mapping.dmp

Download
memory/856-116-0x0000000000000000-mapping.dmp

Download
memory/1060-124-0x0000000000000000-mapping.dmp

Download
memory/1400-123-0x0000000000000000-mapping.dmp

Download
memory/1424-118-0x0000000000000000-mapping.dmp

Download
memory/1872-125-0x0000000000000000-mapping.dmp

Download
memory/2320-131-0x0000000000000000-mapping.dmp

Download
memory/2360-122-0x0000000000000000-mapping.dmp

Download
memory/2776-115-0x00007FF7DF4C0000-0x00007FF7DFC78000-memory.dmp

Filesize
7.7MB

Download
memory/2820-117-0x0000000000000000-mapping.dmp

Download
memory/3064-127-0x0000000000000000-mapping.dmp

Download
memory/3108-120-0x0000000000000000-mapping.dmp

Download
memory/3548-128-0x0000000000000000-mapping.dmp

Download
memory/3592-132-0x0000000000000000-mapping.dmp

Download
memory/3852-126-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads