Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
Resource
win10v2004-20220414-en
General
-
Target
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
-
Size
212KB
-
MD5
85181bc7f85b197b6128031a2781dd08
-
SHA1
750160b2d1a83e743bb06584bad158b0bb4ef426
-
SHA256
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040
-
SHA512
ac51fd25bf4ff5f41ce503d65dbcd9c1f4b9a078393bacb3a619b030e1014ec73ff75ec1cd456a6d28a4f09307c01cd744621edc5aa7d4f6c9f1cee4d2acd741
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
-
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata: ET MALWARE Locky CnC checkin Nov 21
-
suricata: ET MALWARE Locky CnC checkin Nov 21 M2
suricata: ET MALWARE Locky CnC checkin Nov 21 M2
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\SubmitLimit.tiff 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe -
Loads dropped DLL 1 IoCs
Processes:
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exepid process 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exedescription pid process target process PID 1320 set thread context of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exepid process 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exedescription pid process target process PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe PID 1320 wrote to memory of 1636 1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"2⤵
- Modifies extensions of user files
PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdFA96.tmp\System.dllFilesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB
-
memory/1320-56-0x0000000000560000-0x000000000057D000-memory.dmpFilesize
116KB
-
memory/1320-59-0x0000000000560000-0x000000000057D000-memory.dmpFilesize
116KB
-
memory/1636-57-0x00000000001D56BA-mapping.dmp
-
memory/1636-60-0x00000000001D0000-0x00000000001F7000-memory.dmpFilesize
156KB
-
memory/1636-61-0x0000000000290000-0x00000000002B7000-memory.dmpFilesize
156KB
-
memory/1636-62-0x0000000000290000-0x00000000002B7000-memory.dmpFilesize
156KB