Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 18:57
Static task
static1
Behavioral task
behavioral1
Sample
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Resource
win10v2004-20220414-en
General
-
Target
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
-
Size
589KB
-
MD5
e43244db36895d6a28850d3408d80f45
-
SHA1
86ef0edf0a3f2f3edf4192fdd3addedda48945c9
-
SHA256
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3
-
SHA512
d55ae92112dccbc515e4b9790bf7470304ae9fe3c50d200d31ba91ebbf1870f15978cdb622b0b51c126656865e5c947a201cffae337f058c8783a58813286004
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\ApproveSearch.tiff 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 876 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\opt321 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1288 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\WallpaperStyle = "0" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\TileWallpaper = "0" 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c3ef9dc67ed801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000fcb117a617dd1d899b5483e43dfc6613edefb7fabe6153573594485cf67ccd69000000000e8000000002000020000000a68bc8916d857691f7a6ea260c6d179d1d182c90aea6385a0b724f382fc437802000000073eac851277223c2ada09a272dbaa91382622806922475ceaf5e2f46d976fae7400000002a8620d56075ba6c7f673e7ad7d543121c82f13bf61b0ea47fabc4b9ac5039cbb642427e52a9b709420e401ae3e9ab768c0515e1be0c175f507040f09dd08576 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C842C881-EAB9-11EC-B44F-5EFF8A6DE4BC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000a279c946573e159e0e26080d6c9fc5981aca5dfad4ab25bc62ded60fd7414dbd000000000e800000000200002000000075f2c3899d6a50e5b50c203ab571fcb422564bd13b18d7d8b73598fa7aca7ea290000000b0267e791f43915e994dfeca832f97e51b6612cbf43e61b9470e87f01320fccb1b44e79fc1afbe2b3f6556d0892b2b6c21e30415a583ca3f696c6d84d2e70485bdf4644fb05b83fad1c6a70d2b2b527134a82398c5f7a310831b412d7594653b70eaa880cfd98273ba02a259cfa15c02ba65b38c0ae555a9c345a74c18aa812206b8d17fedc7ae5e383f2fb59a0a70f5400000001cc6592a416047eb65a4d2a8cf794118a934da708cffcf5a5b35ca6fd6fd9a93eee667970e9799976fd602018f1c3217b028871ff3b3aa3228d9714050668b92 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "361849401" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exevssvc.exedescription pid process Token: SeDebugPrivilege 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeTakeOwnershipPrivilege 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeBackupPrivilege 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeRestorePrivilege 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe Token: SeBackupPrivilege 2032 vssvc.exe Token: SeRestorePrivilege 2032 vssvc.exe Token: SeAuditPrivilege 2032 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1004 iexplore.exe 1464 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1004 iexplore.exe 1004 iexplore.exe 1696 IEXPLORE.EXE 1696 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
taskeng.exe1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exeiexplore.exedescription pid process target process PID 572 wrote to memory of 1288 572 taskeng.exe vssadmin.exe PID 572 wrote to memory of 1288 572 taskeng.exe vssadmin.exe PID 572 wrote to memory of 1288 572 taskeng.exe vssadmin.exe PID 960 wrote to memory of 1004 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe iexplore.exe PID 960 wrote to memory of 1004 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe iexplore.exe PID 960 wrote to memory of 1004 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe iexplore.exe PID 960 wrote to memory of 1004 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe iexplore.exe PID 1004 wrote to memory of 1696 1004 iexplore.exe IEXPLORE.EXE PID 1004 wrote to memory of 1696 1004 iexplore.exe IEXPLORE.EXE PID 1004 wrote to memory of 1696 1004 iexplore.exe IEXPLORE.EXE PID 1004 wrote to memory of 1696 1004 iexplore.exe IEXPLORE.EXE PID 960 wrote to memory of 876 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 960 wrote to memory of 876 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 960 wrote to memory of 876 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe PID 960 wrote to memory of 876 960 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"2⤵
- Deletes itself
PID:876
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\taskeng.exetaskeng.exe {B788752E-862B-4D7C-B6C9-4328C815920F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
PID:1288
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ENFFKYWB.txtFilesize
603B
MD5fe906cff9154d8e3d4192e423d80b791
SHA159edbe753f405e449cc1a50f87dbd55a61a1b09a
SHA25601e67274b4d1b5f3d4b23e3ee04fe26307c50a9edf3a45d4823129c5645b841f
SHA5126ff9b57a617183bbe16a9a7a4c679e42a5e7254e7e99a58f15378df9a74da1d78b34a663d83daa645fe04042483ad5326050f3bee3d881da756409b0f590b095
-
C:\Users\Admin\Desktop\asasin.bmpFilesize
3.1MB
MD564e334fdd68ff2eb57815621e100df1e
SHA193580645b3bc713184ae359fa32f420e656c5a86
SHA2565246115d4ece8437bc5b43d5c96bd9f2fd41a4006d151ef5be27188683e09a91
SHA5128bfd83c35c766559e77cbc90485acf7dc42ca02320c4fb94c20dda8c22be3b5d5a4a7d0a1834467d6fc5bf3e9850238abe1cd7a5dbeff427c9ae2e2458c3b516
-
C:\Users\Admin\Desktop\asasin.htmFilesize
8KB
MD5e08d725bf0d3391207e3a798362f9ddb
SHA10ec5f8540f36f46f3617bed1f5aaaf6d1a453e6c
SHA256aefceadd1f9d0639449b5e9f13640b3cb8f67913064795e6b25227c59afd212b
SHA512e43f7fed0257ea6b791302d4057651dbdd4fa67151ebe32778d113c5bec6b2fe9b4b88524675c16289e69b307d27fa27bdd2758620a99217f24ea643d0461cff
-
memory/876-62-0x0000000000000000-mapping.dmp
-
memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/960-55-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/960-56-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/960-58-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/960-60-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/960-63-0x0000000000400000-0x000000000049A720-memory.dmpFilesize
617KB
-
memory/1288-59-0x0000000000000000-mapping.dmp