Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
Resource
win10v2004-20220414-en
General
-
Target
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
-
Size
110KB
-
MD5
76feaf6e14049057bdfc1606421a2350
-
SHA1
4df6ea142b356257f9960d6bacda3be20a49df5f
-
SHA256
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57
-
SHA512
21fe9f07f4fee39150376a43332395fd1238384ae1361248a17ae0a33313e216593eb1aefec4621c69b4ef1bc21f1110bb367fea10720cf4ebb884ab83d907fd
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1308 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2032 vssvc.exe Token: SeRestorePrivilege 2032 vssvc.exe Token: SeAuditPrivilege 2032 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exetaskeng.exedescription pid process target process PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1592 wrote to memory of 1556 1592 rundll32.exe rundll32.exe PID 1296 wrote to memory of 1308 1296 taskeng.exe vssadmin.exe PID 1296 wrote to memory of 1308 1296 taskeng.exe vssadmin.exe PID 1296 wrote to memory of 1308 1296 taskeng.exe vssadmin.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#12⤵PID:1556
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\taskeng.exetaskeng.exe {BCEC50A0-54C6-4BF7-B94E-A97F424212E5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-60-0x0000000000000000-mapping.dmp
-
memory/1556-54-0x0000000000000000-mapping.dmp
-
memory/1556-55-0x0000000075581000-0x0000000075583000-memory.dmpFilesize
8KB
-
memory/1556-56-0x0000000074DA0000-0x0000000074DC9000-memory.dmpFilesize
164KB
-
memory/1556-58-0x0000000074DA0000-0x0000000074DC9000-memory.dmpFilesize
164KB
-
memory/1556-59-0x0000000074DD0000-0x0000000074DF9000-memory.dmpFilesize
164KB
-
memory/1556-61-0x0000000074DD0000-0x0000000074DF9000-memory.dmpFilesize
164KB
-
memory/1556-62-0x0000000074DA0000-0x0000000074DC9000-memory.dmpFilesize
164KB