Analysis
-
max time kernel
188s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-05-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
KarLocker_exe.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
KarLocker_exe.exe
Resource
win10v2004-20220414-en
General
-
Target
KarLocker_exe.exe
-
Size
763KB
-
MD5
688cba9c88f928b0cf854b43e97bec75
-
SHA1
45a2b7e6c358018467e480e7b6324d1a305e0d24
-
SHA256
481509a67f836e3826fd7835cded0619a1491ed914152d893c6d8ac950445f4f
-
SHA512
153bb3cd0119f171d225e51fbaf44b601be22c66ac700906525861ffc42368381617c9ca481f63fb66f3e97561a6251177929b8b7d1831efdd7b0a413513ebd1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
KarLocker_exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk KarLocker_exe.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
KarLocker_exe.exedescription ioc process File opened (read-only) \??\f: KarLocker_exe.exe File opened (read-only) \??\w: KarLocker_exe.exe File opened (read-only) \??\x: KarLocker_exe.exe File opened (read-only) \??\o: KarLocker_exe.exe File opened (read-only) \??\b: KarLocker_exe.exe File opened (read-only) \??\g: KarLocker_exe.exe File opened (read-only) \??\j: KarLocker_exe.exe File opened (read-only) \??\k: KarLocker_exe.exe File opened (read-only) \??\l: KarLocker_exe.exe File opened (read-only) \??\r: KarLocker_exe.exe File opened (read-only) \??\s: KarLocker_exe.exe File opened (read-only) \??\t: KarLocker_exe.exe File opened (read-only) \??\e: KarLocker_exe.exe File opened (read-only) \??\h: KarLocker_exe.exe File opened (read-only) \??\i: KarLocker_exe.exe File opened (read-only) \??\m: KarLocker_exe.exe File opened (read-only) \??\p: KarLocker_exe.exe File opened (read-only) \??\y: KarLocker_exe.exe File opened (read-only) \??\z: KarLocker_exe.exe File opened (read-only) \??\a: KarLocker_exe.exe File opened (read-only) \??\n: KarLocker_exe.exe File opened (read-only) \??\q: KarLocker_exe.exe File opened (read-only) \??\u: KarLocker_exe.exe File opened (read-only) \??\v: KarLocker_exe.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
KarLocker_exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" KarLocker_exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 1 IoCs
Processes:
KarLocker_exe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop KarLocker_exe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
KarLocker_exe.exepid process 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe 892 KarLocker_exe.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB