481509a67f836e3826fd7835cded0619a1491ed914152d893c6d8ac950445f4f | Triage

Analysis

max time kernel
188s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-05-2022 05:33

Sharing

Report Analysis Logs

General

Target

KarLocker_exe.exe
Size

763KB
MD5

688cba9c88f928b0cf854b43e97bec75
SHA1

45a2b7e6c358018467e480e7b6324d1a305e0d24
SHA256

481509a67f836e3826fd7835cded0619a1491ed914152d893c6d8ac950445f4f
SHA512

153bb3cd0119f171d225e51fbaf44b601be22c66ac700906525861ffc42368381617c9ca481f63fb66f3e97561a6251177929b8b7d1831efdd7b0a413513ebd1

Score

7^/10

ransomware

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

KarLocker_exe.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk KarLocker_exe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

KarLocker_exe.exe

description	ioc	process
File opened (read-only)	\??\f:	KarLocker_exe.exe
File opened (read-only)	\??\w:	KarLocker_exe.exe
File opened (read-only)	\??\x:	KarLocker_exe.exe
File opened (read-only)	\??\o:	KarLocker_exe.exe
File opened (read-only)	\??\b:	KarLocker_exe.exe
File opened (read-only)	\??\g:	KarLocker_exe.exe
File opened (read-only)	\??\j:	KarLocker_exe.exe
File opened (read-only)	\??\k:	KarLocker_exe.exe
File opened (read-only)	\??\l:	KarLocker_exe.exe
File opened (read-only)	\??\r:	KarLocker_exe.exe
File opened (read-only)	\??\s:	KarLocker_exe.exe
File opened (read-only)	\??\t:	KarLocker_exe.exe
File opened (read-only)	\??\e:	KarLocker_exe.exe
File opened (read-only)	\??\h:	KarLocker_exe.exe
File opened (read-only)	\??\i:	KarLocker_exe.exe
File opened (read-only)	\??\m:	KarLocker_exe.exe
File opened (read-only)	\??\p:	KarLocker_exe.exe
File opened (read-only)	\??\y:	KarLocker_exe.exe
File opened (read-only)	\??\z:	KarLocker_exe.exe
File opened (read-only)	\??\a:	KarLocker_exe.exe
File opened (read-only)	\??\n:	KarLocker_exe.exe
File opened (read-only)	\??\q:	KarLocker_exe.exe
File opened (read-only)	\??\u:	KarLocker_exe.exe
File opened (read-only)	\??\v:	KarLocker_exe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

Modify Registry

Processes:

KarLocker_exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	KarLocker_exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Control Panel 1 IoCs
evasion

Processes:

KarLocker_exe.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop KarLocker_exe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KarLocker_exe.exe

pid	process
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe
892	KarLocker_exe.exe

C:\Users\Admin\AppData\Local\Temp\KarLocker_exe.exe
"C:\Users\Admin\AppData\Local\Temp\KarLocker_exe.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
PID:892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download