Overview

overview

10

Static

static

1f1f7961cf...a3.exe

windows7_x64

10

1f1f7961cf...a3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

  • Size

    589KB

  • MD5

    e43244db36895d6a28850d3408d80f45

  • SHA1

    86ef0edf0a3f2f3edf4192fdd3addedda48945c9

  • SHA256

    1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3

  • SHA512

    d55ae92112dccbc515e4b9790bf7470304ae9fe3c50d200d31ba91ebbf1870f15978cdb622b0b51c126656865e5c947a201cffae337f058c8783a58813286004

Score
10/10
lockypersistenceransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
    "C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"
      2⤵
      • Deletes itself
      PID:876
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2032
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B788752E-862B-4D7C-B6C9-4328C815920F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:1288
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ENFFKYWB.txt
    Filesize

    603B

    MD5

    fe906cff9154d8e3d4192e423d80b791

    SHA1

    59edbe753f405e449cc1a50f87dbd55a61a1b09a

    SHA256

    01e67274b4d1b5f3d4b23e3ee04fe26307c50a9edf3a45d4823129c5645b841f

    SHA512

    6ff9b57a617183bbe16a9a7a4c679e42a5e7254e7e99a58f15378df9a74da1d78b34a663d83daa645fe04042483ad5326050f3bee3d881da756409b0f590b095

    Download Submit
  • C:\Users\Admin\Desktop\asasin.bmp
    Filesize

    3.1MB

    MD5

    64e334fdd68ff2eb57815621e100df1e

    SHA1

    93580645b3bc713184ae359fa32f420e656c5a86

    SHA256

    5246115d4ece8437bc5b43d5c96bd9f2fd41a4006d151ef5be27188683e09a91

    SHA512

    8bfd83c35c766559e77cbc90485acf7dc42ca02320c4fb94c20dda8c22be3b5d5a4a7d0a1834467d6fc5bf3e9850238abe1cd7a5dbeff427c9ae2e2458c3b516

    Download Submit
  • C:\Users\Admin\Desktop\asasin.htm
    Filesize

    8KB

    MD5

    e08d725bf0d3391207e3a798362f9ddb

    SHA1

    0ec5f8540f36f46f3617bed1f5aaaf6d1a453e6c

    SHA256

    aefceadd1f9d0639449b5e9f13640b3cb8f67913064795e6b25227c59afd212b

    SHA512

    e43f7fed0257ea6b791302d4057651dbdd4fa67151ebe32778d113c5bec6b2fe9b4b88524675c16289e69b307d27fa27bdd2758620a99217f24ea643d0461cff

    Download Submit
  • memory/876-62-0x0000000000000000-mapping.dmp
    Download
  • memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/960-55-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download
  • memory/960-56-0x0000000000400000-0x000000000049A720-memory.dmp
    Filesize

    617KB

    Download
  • memory/960-58-0x0000000000400000-0x000000000049A720-memory.dmp
    Filesize

    617KB

    Download
  • memory/960-60-0x0000000000400000-0x000000000049A720-memory.dmp
    Filesize

    617KB

    Download
  • memory/960-63-0x0000000000400000-0x000000000049A720-memory.dmp
    Filesize

    617KB

    Download
  • memory/1288-59-0x0000000000000000-mapping.dmp
    Download