Overview

overview

10

Static

static

2873924251...57.dll

windows7_x64

10

2873924251...57.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll

  • Size

    110KB

  • MD5

    76feaf6e14049057bdfc1606421a2350

  • SHA1

    4df6ea142b356257f9960d6bacda3be20a49df5f

  • SHA256

    287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57

  • SHA512

    21fe9f07f4fee39150376a43332395fd1238384ae1361248a17ae0a33313e216593eb1aefec4621c69b4ef1bc21f1110bb367fea10720cf4ebb884ab83d907fd

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#1
      2⤵
        PID:2400
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      1⤵
      • Interacts with shadow copies
      PID:1244

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2400-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2400-131-0x0000000075870000-0x0000000075899000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2400-132-0x0000000075870000-0x0000000075899000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2400-134-0x0000000075870000-0x0000000075899000-memory.dmp
      Filesize

      164KB

      Download