Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
Resource
win10v2004-20220414-en
General
-
Target
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
-
Size
110KB
-
MD5
76feaf6e14049057bdfc1606421a2350
-
SHA1
4df6ea142b356257f9960d6bacda3be20a49df5f
-
SHA256
287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57
-
SHA512
21fe9f07f4fee39150376a43332395fd1238384ae1361248a17ae0a33313e216593eb1aefec4621c69b4ef1bc21f1110bb367fea10720cf4ebb884ab83d907fd
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1244 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1424 vssvc.exe Token: SeRestorePrivilege 1424 vssvc.exe Token: SeAuditPrivilege 1424 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3516 wrote to memory of 2400 3516 rundll32.exe rundll32.exe PID 3516 wrote to memory of 2400 3516 rundll32.exe rundll32.exe PID 3516 wrote to memory of 2400 3516 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#12⤵PID:2400
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All1⤵
- Interacts with shadow copies
PID:1244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2400-130-0x0000000000000000-mapping.dmp
-
memory/2400-131-0x0000000075870000-0x0000000075899000-memory.dmpFilesize
164KB
-
memory/2400-132-0x0000000075870000-0x0000000075899000-memory.dmpFilesize
164KB
-
memory/2400-134-0x0000000075870000-0x0000000075899000-memory.dmpFilesize
164KB