Analysis

  • max time kernel
    143s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 01:04

General

  • Target

    33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe

  • Size

    580KB

  • MD5

    86927f4d92665747679ab72a9be87b05

  • SHA1

    35549e85c4cb875e1710afaf274aeead50e06752

  • SHA256

    33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f

  • SHA512

    33255234e1a1a7c19d92e503a57cecef9e1cb46ff5472f2416772a0e9087c111edded597618bb73ee8494c0bc23924d97396b1bc5f2657e946c6e1552696381f

Score
10/10

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe
    "C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Enumerates system info in registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:972
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\33b62b95281bb0ecbad2523bb99e4853fd516044b8f2b42ef4a1e29903e7bd0f.exe"
      2⤵
      • Deletes itself
      PID:1520
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:240
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {96260CD4-CB41-40EC-B6BB-C8CD19D0D8C7} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:384
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\ykcol.bmp
    Filesize

    3.8MB

    MD5

    1cbf381cd00ba543998801e3635c5b26

    SHA1

    9db2bcea430426d07ad009e2819ad0340753e1fd

    SHA256

    fd148293071bec9795499f098b83dbd1bafe4e93f1b0e8d355f32f54026aa3b3

    SHA512

    1b89dfc3d39f27b4674dcc9526e2ae72bc16ce5ca9fc1fb652e28c79b956c863fe37f904dfc59e836bd32eaf6699408f5e7923a6a57dad91bc835acde2bb81ac

  • C:\Users\Admin\Desktop\ykcol.htm
    Filesize

    8KB

    MD5

    65b3437eb4bbe80017f4d6afa83d8d2d

    SHA1

    06c2625cc9b5639e8f625dbf99939288e54373bb

    SHA256

    68f2e17dcf0b01736871ad05d8abbf3477bf4620b73ca5e0dc6d9a271c0505b1

    SHA512

    0b0b11c759eaa8e4109d529a99ac9a374be65c5affc0cd9a454725c9e58ea920a546dd17bfdbbaac008002b4351d4b95e3f8978d7532ec30a190f876a87de6fd

  • memory/384-57-0x0000000000000000-mapping.dmp
  • memory/1228-54-0x0000000000400000-0x0000000000494000-memory.dmp
    Filesize

    592KB

  • memory/1228-55-0x0000000000400000-0x0000000000494000-memory.dmp
    Filesize

    592KB

  • memory/1228-56-0x00000000751C1000-0x00000000751C3000-memory.dmp
    Filesize

    8KB

  • memory/1520-59-0x0000000000000000-mapping.dmp