Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll
Resource
win10v2004-20220414-en
General
-
Target
21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll
-
Size
141KB
-
MD5
38bd1d49f88201a9a6a92ae3f65559c0
-
SHA1
010847f30975fbac9a45ffc6e70ed640614e4852
-
SHA256
21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab
-
SHA512
4ff916f7ea78fbd0c0fbb663dc53d8a6060fae819a7f0da09d114d832dde1634943cb603787954fdb0a5fbae20bcc0a2d29157f7b7a1139c8f41424a655db858
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
-
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata: ET MALWARE Locky CnC checkin Nov 21
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 24 204 rundll32.exe 38 204 rundll32.exe 51 204 rundll32.exe 65 204 rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_WHAT_is.bmp" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "0" rundll32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4436 wrote to memory of 204 4436 rundll32.exe rundll32.exe PID 4436 wrote to memory of 204 4436 rundll32.exe rundll32.exe PID 4436 wrote to memory of 204 4436 rundll32.exe rundll32.exe PID 204 wrote to memory of 2316 204 rundll32.exe msedge.exe PID 204 wrote to memory of 2316 204 rundll32.exe msedge.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll,#12⤵
- Blocklisted process makes network request
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_WHAT_is.html3⤵PID:2316