Analysis
-
max time kernel
173s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe
Resource
win10v2004-20220414-en
General
-
Target
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe
-
Size
135KB
-
MD5
511aa2f2fe6196e032ec7fef83bb8d95
-
SHA1
ce874f517d335a1e1ab0df99111df1d3adbc0d21
-
SHA256
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150
-
SHA512
78a4771ab5e531420a45338ae27a5a4dad11b50385964a739e7ecec2c55d3ee47cde148dfc1e82ce7e8b8eb8a04a7f9b784cdd640e490a84bc8ce621d2f8d1c0
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\ResetClear.tiff f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp" f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 2 IoCs
Processes:
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\WallpaperStyle = "0" f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\TileWallpaper = "0" f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 4908 msedge.exe 4908 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
msedge.exepid process 740 msedge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msedge.exepid process 740 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exemsedge.exedescription pid process target process PID 2392 wrote to memory of 740 2392 f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe msedge.exe PID 2392 wrote to memory of 740 2392 f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe msedge.exe PID 2392 wrote to memory of 3876 2392 f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe cmd.exe PID 2392 wrote to memory of 3876 2392 f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe cmd.exe PID 2392 wrote to memory of 3876 2392 f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe cmd.exe PID 740 wrote to memory of 3728 740 msedge.exe msedge.exe PID 740 wrote to memory of 3728 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 1272 740 msedge.exe msedge.exe PID 740 wrote to memory of 4908 740 msedge.exe msedge.exe PID 740 wrote to memory of 4908 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe PID 740 wrote to memory of 1052 740 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe"C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_HELP_instructions.html2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb91f246f8,0x7ffb91f24708,0x7ffb91f247183⤵PID:3728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,4086269291485844771,9395977264998218629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:1272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,4086269291485844771,9395977264998218629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,4086269291485844771,9395977264998218629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:83⤵PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,4086269291485844771,9395977264998218629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:13⤵PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,4086269291485844771,9395977264998218629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:13⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe"2⤵PID:3876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\pipe\LOCAL\crashpad_740_HUNKTIBAZJVXJNDLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/740-132-0x0000000000000000-mapping.dmp
-
memory/1052-141-0x0000000000000000-mapping.dmp
-
memory/1272-137-0x0000000000000000-mapping.dmp
-
memory/1792-145-0x0000000000000000-mapping.dmp
-
memory/2296-143-0x0000000000000000-mapping.dmp
-
memory/2392-130-0x0000000002220000-0x0000000002246000-memory.dmpFilesize
152KB
-
memory/2392-131-0x0000000002220000-0x0000000002246000-memory.dmpFilesize
152KB
-
memory/2392-134-0x0000000002220000-0x0000000002246000-memory.dmpFilesize
152KB
-
memory/3728-135-0x0000000000000000-mapping.dmp
-
memory/3876-133-0x0000000000000000-mapping.dmp
-
memory/4908-138-0x0000000000000000-mapping.dmp