Analysis
-
max time kernel
143s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 01:04
General
-
Target
33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe
-
Size
580KB
-
MD5
86927f4d92665747679ab72a9be87b05
-
SHA1
35549e85c4cb875e1710afaf274aeead50e06752
-
SHA256
33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f
-
SHA512
33255234e1a1a7c19d92e503a57cecef9e1cb46ff5472f2416772a0e9087c111edded597618bb73ee8494c0bc23924d97396b1bc5f2657e946c6e1552696381f
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe"C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Enumerates system info in registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe"2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {96260CD4-CB41-40EC-B6BB-C8CD19D0D8C7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD51cbf381cd00ba543998801e3635c5b26
SHA19db2bcea430426d07ad009e2819ad0340753e1fd
SHA256fd148293071bec9795499f098b83dbd1bafe4e93f1b0e8d355f32f54026aa3b3
SHA5121b89dfc3d39f27b4674dcc9526e2ae72bc16ce5ca9fc1fb652e28c79b956c863fe37f904dfc59e836bd32eaf6699408f5e7923a6a57dad91bc835acde2bb81ac
-
Filesize
8KB
MD565b3437eb4bbe80017f4d6afa83d8d2d
SHA106c2625cc9b5639e8f625dbf99939288e54373bb
SHA25668f2e17dcf0b01736871ad05d8abbf3477bf4620b73ca5e0dc6d9a271c0505b1
SHA5120b0b11c759eaa8e4109d529a99ac9a374be65c5affc0cd9a454725c9e58ea920a546dd17bfdbbaac008002b4351d4b95e3f8978d7532ec30a190f876a87de6fd
-
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
8KB
-
