Overview

overview

10

Static

static

28df46fe98...ce.exe

windows7_x64

10

28df46fe98...ce.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce.exe

  • Size

    770KB

  • MD5

    8ac7c66efdeefceea010123faa515cdf

  • SHA1

    961c26caade6bb374efb19319411f04183af2cb0

  • SHA256

    28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce

  • SHA512

    621d2229400f1900fa78852551b2447577d72b5fe482206b3a2c37c928c9db12057419fde4e5cf81e5deb086618d128b5db1dac7fb26b5fc44ab2765e508c798

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce.exe
    "C:\Users\Admin\AppData\Local\Temp\28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:324
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\28df46fe9876341394f8f0e4dcf17bd76f451ea8347104470acb59291f1735ce.exe"
      2⤵
      • Deletes itself
      PID:1944
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1740
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {373D1864-ADA7-4F1E-A9D9-2EFC04C06788} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:648
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1MX0S02C.txt
    Filesize

    601B

    MD5

    142f42e05b1165208ba4fbb655190a8b

    SHA1

    e51f9f2bc61284782db665cfdb4a8716d104ad40

    SHA256

    83e2c31d8826345eeb8bdc8178ff37426e1263af43070cc48bb7f2ef78d75177

    SHA512

    fc0faa80cd04ecf15ed8cf6dc208525de1823e125b34c1e4f7b9e60f6eec8313428109a8ebcb938cc6c1538cb8dc2aec03b3b2246fd5232309d754a870df3cef

    Download Submit
  • C:\Users\Admin\Desktop\asasin.bmp
    Filesize

    3.5MB

    MD5

    4f39cbbdfddb5bd031baa5787005ea35

    SHA1

    d6b3a31db8fec1060c558f7d3a09031a5577a816

    SHA256

    67786db0ef712280bc5546027d40ec0a8873dc18be6edcacd755d7cd1b8530ce

    SHA512

    527cfbb2b196dffa808a4ee0ebfea93cf31c23e9f59253a4c4bc89525add1492ffe167d5be5070d39cba08314d4e76328bf24a8b4179ce3fb38ec70fb1108e56

    Download Submit
  • C:\Users\Admin\Desktop\asasin.htm
    Filesize

    9KB

    MD5

    37aa83bff082404da7fd7a75ee856d11

    SHA1

    f1da475c723be1ca4d95cf7975fdd8de42a8cd96

    SHA256

    7555edb10d785bb08f4d478aca4a49c333077475bfda876a211a1eecd27865d3

    SHA512

    138fcce2050ab8b4bbd07f323dba66bbf1857852f1d7bcb2b8cfd4d140c23257a216a67ccb89d21d05d40e93aa35de08278d4ce43bcb3949c56d4bcaebda07f9

    Download Submit
  • memory/648-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1648-55-0x0000000000400000-0x00000000004C9000-memory.dmp
    Filesize

    804KB

    Download
  • memory/1648-58-0x0000000001CF0000-0x0000000001D79000-memory.dmp
    Filesize

    548KB

    Download
  • memory/1944-61-0x0000000000000000-mapping.dmp
    Download