Overview

overview

10

Static

static

9e803068b0...c0.exe

windows7_x64

10

9e803068b0...c0.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    1624s
  • max time network
    1627s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e803068b0df00f2681f79d31f27aee618cf65456aed57e3a8247995f4e2d4c0.exe

  • Size

    262KB

  • MD5

    dfbcb56267bde1b0c5cd2e891c5f1444

  • SHA1

    12c74bdb6d04cd4d40f469ae7193e49f862a3aee

  • SHA256

    9e803068b0df00f2681f79d31f27aee618cf65456aed57e3a8247995f4e2d4c0

  • SHA512

    66075ff634d9d92db61c3f86a5147920ac8e4b325c48227a2a0e96d88c334668153cd963c34fa3a267ceab09c356e4d5551a7c7ecbe20a996979fe4ab4b5abf1

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e803068b0df00f2681f79d31f27aee618cf65456aed57e3a8247995f4e2d4c0.exe
    "C:\Users\Admin\AppData\Local\Temp\9e803068b0df00f2681f79d31f27aee618cf65456aed57e3a8247995f4e2d4c0.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\9e803068b0df00f2681f79d31f27aee618cf65456aed57e3a8247995f4e2d4c0.exe"
      2⤵
      • Deletes itself
      PID:1520
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\91HLSQG2.txt
    Filesize

    604B

    MD5

    6de8677e06eff5f0a91474f263c2631c

    SHA1

    e2195e1988d5d8ba46ce146377cc23a43d349a0d

    SHA256

    20d558d73008ca6863c27b3eda706d2521aa3db21ef16190a7ca92ae62dc8e4d

    SHA512

    0cde08984b56bf86059c2b382abb9c16f339623962a30a18001cce7ac152ed4e61a96f2b983c08642425ed603215985632d856e5d471694466aa7d02bc18b86c

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.bmp
    Filesize

    3.1MB

    MD5

    f8a7eabcc6fffbcd8a25f64b5662f9d5

    SHA1

    7da92a85e4eda43fbe4300053a796bc97a774510

    SHA256

    40c97e104e4b3d4ee2127460824f4d87b6cdb58021f3d4308c58640ae90c9f2b

    SHA512

    76095217c909aca09ccbc17f026490894e05ee2e09010a3bf2e1153f5d9a5bfc94c55153aea36369c4aea39b34251cd05eeef672aa6f189f2644900974fe6f87

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.html
    Filesize

    8KB

    MD5

    6d56008d00a1bc179b334821506b8d8b

    SHA1

    5873a2bd01e0d8f4352b5f8bffa9838f47409f6f

    SHA256

    d1b3192f42949d30d4a248dcc4f7d0a4850ed24785e97943f98e6f84f78c62be

    SHA512

    317d89f3dfc2588feda982f47d0abccc438330025fed069610c120173e90881c55e7835f318be0a76279201423e1171c3c5e357dee4d482bf9058fff9c02f91c

    Download Submit
  • memory/1520-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-54-0x0000000075381000-0x0000000075383000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-56-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1992-57-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1992-58-0x00000000005E0000-0x0000000000606000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1992-59-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1992-60-0x00000000005E0000-0x0000000000606000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1992-63-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1992-64-0x00000000005E0000-0x0000000000606000-memory.dmp
    Filesize

    152KB

    Download