Overview

overview

10

Static

static

8

5463a73bab...d1.exe

windows7_x64

10

5463a73bab...d1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1630s
  • max time network
    1633s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5463a73bab1d07f4a43a55b656b1bd24607f9e707654c2f011b428ee64cdffd1.exe

  • Size

    182KB

  • MD5

    f808981cbf3210d6ffb779b144414cac

  • SHA1

    6856fd105f9bea73df88706c5abc40c3b3f9a4db

  • SHA256

    5463a73bab1d07f4a43a55b656b1bd24607f9e707654c2f011b428ee64cdffd1

  • SHA512

    1a4cd00b18faeb2600f74b43dd143259e6d5fd17b60a9dc500d47d1c9ddd21c793df07e8240ff52f09e9fab9b65fc6c1e1cce95be8584e1bbd6980692cb4ac78

Score
10/10
lockyransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May

    suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May

    suricata
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5463a73bab1d07f4a43a55b656b1bd24607f9e707654c2f011b428ee64cdffd1.exe
    "C:\Users\Admin\AppData\Local\Temp\5463a73bab1d07f4a43a55b656b1bd24607f9e707654c2f011b428ee64cdffd1.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:292
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\5463a73bab1d07f4a43a55b656b1bd24607f9e707654c2f011b428ee64cdffd1.exe"
      2⤵
      • Deletes itself
      PID:1332
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KPL5MTJX.txt
    Filesize

    604B

    MD5

    fe7b82209816a4e508767910a542ad07

    SHA1

    900321e14faeada2a60407f20413d1858a040799

    SHA256

    ee7d759a9bcebe000d3882e18d00cd655ddbefc9141871ce1c701810af0f2ef1

    SHA512

    30dd5e25d2af4f7b6f08dabddd97e879c83a4c0b8e7988509e387c2103993755b4249a4481bdd1a1a3eb0f09513f22190a9c3800ef14882e4129165b435b473a

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.bmp
    Filesize

    3.1MB

    MD5

    10b6f285c01dfe482c81b6dd3693e3d8

    SHA1

    22545d7c7c0b8657fd50e639664881a44caf6e31

    SHA256

    db1b7ad79ef198eea2fee7de396bf62f7f88129335ade741f0871b34af286c12

    SHA512

    67bc40b58b55e5d012a3e3357c33da14fdd32f1b8440f9bd203f92e8ecc349a4bf38c5ea2a72cdd41b9f82de3c78c86429a1f75e5fdfb5eff56fa8fccdef09a0

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.html
    Filesize

    8KB

    MD5

    4f907539235705d406528a279360caf6

    SHA1

    9677b10eabbaf22ad6b8128a3bbdc1cedeb2dbc9

    SHA256

    afb23033557feb9e3f70364930e0651927301198377742e9806ff041da9034b3

    SHA512

    ab1f4e4560d321c647054f526d9ec6009d51e0f570399e6f731454acd88771d2202c783d0b6abaf45466a038b1119aaa3e7939736f397f0e5577ba7371a52a8e

    Download Submit
  • memory/1036-54-0x0000000075941000-0x0000000075943000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1036-56-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1036-57-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1036-58-0x0000000000290000-0x00000000002B6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1036-59-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1036-60-0x0000000000290000-0x00000000002B6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1036-64-0x0000000000290000-0x00000000002B6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1036-63-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1332-62-0x0000000000000000-mapping.dmp
    Download