Overview

overview

10

Static

static

5776efe08f...a8.exe

windows7_x64

10

5776efe08f...a8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1617s
  • max time network
    1622s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5776efe08fd2b5847cafd084ed56e0457de02608e6c8e4e971c8e00cc3355fa8.exe

  • Size

    174KB

  • MD5

    50bde00178dbc70e43d8e6156e9a1c0d

  • SHA1

    26a7bc0b6fd83644b1df1f0378dec013026c4971

  • SHA256

    5776efe08fd2b5847cafd084ed56e0457de02608e6c8e4e971c8e00cc3355fa8

  • SHA512

    b7e98b367e977b914b182ddf182f88a7e8be35e8eaef2dea69f21027b7f7d7faa5913d01f71a1d4e89e0dfc6b4f0331bda824f776209213852575ec236c44bd5

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5776efe08fd2b5847cafd084ed56e0457de02608e6c8e4e971c8e00cc3355fa8.exe
    "C:\Users\Admin\AppData\Local\Temp\5776efe08fd2b5847cafd084ed56e0457de02608e6c8e4e971c8e00cc3355fa8.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1280
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\5776efe08fd2b5847cafd084ed56e0457de02608e6c8e4e971c8e00cc3355fa8.exe"
      2⤵
      • Deletes itself
      PID:1916
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\90OZGM49.txt
    Filesize

    602B

    MD5

    985db52f8a76bfe3ce2b1ecfd21fc7f1

    SHA1

    31a568e1e8a53f2d0020e01f5dcb6eb53cac347a

    SHA256

    396ecef94b97a67a64880e9242a813819a71e6252a1a5201197d78a320a8317d

    SHA512

    e124266df1f1edcdcaa5ee892a3b87a034b32100486d3c01810bf3793b50526a6cd59b9845ee31f21047a9bbfc2b5bb19de2e9d1fb21f6a56ef2c59002d8006d

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.bmp
    Filesize

    3.5MB

    MD5

    77e225eed157923173c3a52df0acb78f

    SHA1

    f4c37dfa407658e34b523ee34895345f72a79b7c

    SHA256

    5d33e09700e4e2e580c629d8eab6c88b62c00a174f5f29e3e27745875fa6af21

    SHA512

    765f773fbeaf7743042e3c23d4719118545ff9864255e09b67230aba7ec034ef6375c48b34182f2172dd5a5a3b1ad1f9d32452f343455a0e263874c77876e7aa

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.html
    Filesize

    9KB

    MD5

    fbc9ecb8af74f93041589b2167e6375c

    SHA1

    616b71032e7e3d788281cc152972995091658c67

    SHA256

    661458b38041eee8acd7e423a9ebbf6b782a04494ee142733805f9276e4148bf

    SHA512

    95f6a2a7b58558a6049904e27ec35f67caafe338cb0fe4c17b9d6010efb094382b8c5be6eb1a83926a975a4421f5adaf2eea8334c45381d4142eb2b607414b1f

    Download Submit
  • memory/1668-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-65-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-61-0x0000000000250000-0x0000000000276000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1668-62-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-54-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-64-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-58-0x00000000762C1000-0x00000000762C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1668-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-67-0x0000000000250000-0x0000000000276000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1668-55-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-70-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1668-71-0x0000000000250000-0x0000000000276000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1668-57-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1668-56-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1916-69-0x0000000000000000-mapping.dmp
    Download