Overview

overview

10

Static

static

af7797bf0d...47.exe

windows7_x64

10

af7797bf0d...47.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    1619s
  • max time network
    1622s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af7797bf0df65314f3173e06b114b0498ee0d76c35a243376d1bc1efc4a01347.exe

  • Size

    256KB

  • MD5

    beddff97291279cbff84fa55fa85dcc8

  • SHA1

    1a76fc9fcee3ec83e339248197d036789a03e7b8

  • SHA256

    af7797bf0df65314f3173e06b114b0498ee0d76c35a243376d1bc1efc4a01347

  • SHA512

    5c0147e4098afae2dc4a0b801f3b637335801acae0811e99a2c0e0353c8a4433126ff3ace0f276d11c688ea85b8c2b6d7da17f21a489d8c1bddc37f091ce3c6a

Score
10/10
lockyransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May

    suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May

    suricata
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af7797bf0df65314f3173e06b114b0498ee0d76c35a243376d1bc1efc4a01347.exe
    "C:\Users\Admin\AppData\Local\Temp\af7797bf0df65314f3173e06b114b0498ee0d76c35a243376d1bc1efc4a01347.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1200
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\af7797bf0df65314f3173e06b114b0498ee0d76c35a243376d1bc1efc4a01347.exe"
      2⤵
      • Deletes itself
      PID:816
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FCL8EPMR.txt
    Filesize

    603B

    MD5

    093e011d2180cd42905dfde8ebafbf3b

    SHA1

    12ac0ea196c793c3a5a35747ebb21aa9cb451f6f

    SHA256

    cb3ae0ed7df1a4ff495d1acb12a0bd5743afd4d6f60aff5e2099e6277f176ba4

    SHA512

    f741fda4f0c8f70b620b024cd4b2713568445bccd02f61555bffd2f008313b264da3110a4010ef0414f3dde790e84716348157d9f15ae0a89dd14a6525d03b03

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.bmp
    Filesize

    3.1MB

    MD5

    fbbe4b94409511b4acca6a110cb31eeb

    SHA1

    f4e0aad83e5a4acf5608f12f169352ef3a226d12

    SHA256

    c0026a18148af173241ac9adb02ffeb490b7e26245b66ea1bd33caa0f6528d80

    SHA512

    d5b015e091ee51cebb144ea54f89e17163bc373cb782245b8ca3e88d87a919bc35604cc8eab79f9e13949b5babf88db0f4ce4c3127400a5c75694d20069187a0

    Download Submit
  • C:\Users\Admin\Desktop\_HELP_instructions.html
    Filesize

    8KB

    MD5

    6d56008d00a1bc179b334821506b8d8b

    SHA1

    5873a2bd01e0d8f4352b5f8bffa9838f47409f6f

    SHA256

    d1b3192f42949d30d4a248dcc4f7d0a4850ed24785e97943f98e6f84f78c62be

    SHA512

    317d89f3dfc2588feda982f47d0abccc438330025fed069610c120173e90881c55e7835f318be0a76279201423e1171c3c5e357dee4d482bf9058fff9c02f91c

    Download Submit
  • memory/816-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1284-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1284-56-0x0000000000400000-0x0000000000445000-memory.dmp
    Filesize

    276KB

    Download
  • memory/1284-57-0x0000000000400000-0x0000000000445000-memory.dmp
    Filesize

    276KB

    Download
  • memory/1284-58-0x0000000000260000-0x0000000000286000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1284-59-0x0000000000260000-0x0000000000286000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1284-62-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1284-63-0x0000000000260000-0x0000000000286000-memory.dmp
    Filesize

    152KB

    Download