Overview

overview

10

Static

static

1d4a3957a4...f6.exe

windows7_x64

10

1d4a3957a4...f6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-06-2022 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d4a3957a4f4d83f1edffcb0b596e04d98c82f801ae4b23208a34076203f42f6.exe

  • Size

    634KB

  • MD5

    c77d1c0c0ecd0b2f81f2bcf89fb07279

  • SHA1

    be7d13c25052903d150ed07e836e210e298b9995

  • SHA256

    1d4a3957a4f4d83f1edffcb0b596e04d98c82f801ae4b23208a34076203f42f6

  • SHA512

    a967039c4a9804b3ff51c25fafa93322f983eaa52fe4361cae3f5a54c02eafc0bea8e848a3e94ba17e09622b53466dabef14c1a775f0958f06c6aa8e70b9e091

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d4a3957a4f4d83f1edffcb0b596e04d98c82f801ae4b23208a34076203f42f6.exe
    "C:\Users\Admin\AppData\Local\Temp\1d4a3957a4f4d83f1edffcb0b596e04d98c82f801ae4b23208a34076203f42f6.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1d4a3957a4f4d83f1edffcb0b596e04d98c82f801ae4b23208a34076203f42f6.exe"
      2⤵
      • Deletes itself
      PID:1912
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AC4415E4-99F8-41E5-93A8-71033E4B7775} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:640
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B19HLP2L.txt
    Filesize

    606B

    MD5

    7d4fc71c461d7dfef4cd007d5d3aba5c

    SHA1

    927b6916ef5b402fd53df5cca28895968995efaf

    SHA256

    d9d8dc3a6d201237dd1039e9c98a0e3345cd730598028c691e05af2fae7132f8

    SHA512

    d63850770d43654f287a1039ad858fc9b9ebc1459836ee5a976176d5bd96e864982df3b864d7b79c621bcbac54f7a5440ca2581c0d12caafc51fade0ac5db852

    Download Submit
  • C:\Users\Admin\Desktop\asasin.bmp
    Filesize

    3.3MB

    MD5

    9a8d39c8114333faead728ef67245fbb

    SHA1

    ceb9d13b8bcc348e0ab1871498869d8f3825a334

    SHA256

    e4051c34edde178eb5bed34e903729d016159cb1b076a90241ef9811b4e16c5a

    SHA512

    e7d0153f50cf6df64385c0210d5d1dbae08663cb51795a48855ee03b5d0186d9d57608536c88016987d5c32d42d90136606ef9e2b6748a53919a9c6a306cf8e5

    Download Submit
  • C:\Users\Admin\Desktop\asasin.htm
    Filesize

    8KB

    MD5

    e3d8d61fc2cc8c41397bf3d1c46cd6db

    SHA1

    a9c4da6b6ca0db6309dc09353322dbc2cc152cf6

    SHA256

    8b537b0f5a7cdd921b3a443729c7b648df8aee161dbd3e3dc2296f939ef919f9

    SHA512

    c31213d7ad135fefeb3f5767684f1e487b6215f6da23d483b4dc9554a3d2e6e8655a95f796add4edeccc663da2e06c571bc732e2ee02e3ced7e96194aaf4ed53

    Download Submit
  • memory/640-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-54-0x0000000075271000-0x0000000075273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-55-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download
  • memory/1504-56-0x0000000000400000-0x00000000004A5BB0-memory.dmp
    Filesize

    662KB

    Download
  • memory/1504-58-0x0000000000400000-0x00000000004A5BB0-memory.dmp
    Filesize

    662KB

    Download
  • memory/1504-62-0x0000000000400000-0x00000000004A5BB0-memory.dmp
    Filesize

    662KB

    Download
  • memory/1912-61-0x0000000000000000-mapping.dmp
    Download