Analysis

  • max time kernel
    1620s
  • max time network
    1623s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 18:19

General

  • Target

    b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

  • Size

    191KB

  • MD5

    47380d71be72bb4ff55b5e51f8bdc963

  • SHA1

    c9fa6bfaa364a15a1aec3a8645999bd3fe7cd3af

  • SHA256

    b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71

  • SHA512

    4b3e4094d8de13dee8f1bcbdc125e91a814fb7a46ce3531326192fad909d6e3b4e912331614bbb302ee18ef0caa14da9f767e554685676b438b89b04d6eb32c8

Score
10/10

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
    "C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
      "C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
      2⤵
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HOWDO_text.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:360
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
        3⤵
        • Deletes itself
        PID:896
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1244

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V2E26LNA.txt

    Filesize

    599B

    MD5

    2456acde24d0f0ff888f7b4eb077550b

    SHA1

    cf36b204a7ae1041f1eeb07069ba547d6a0c6adc

    SHA256

    e93e1b85b155ec46f1e53ae40be9d7f8062590db2bf82c122265f6f4fe85f841

    SHA512

    5f5302e298c238d3bcdd216786b40bb283414fd6d09a9bddd46fbc5d924328444483267f022b71b70aa88642461cf047d3881f4a5f5045822fa0a496f80bdfde

  • C:\Users\Admin\Desktop\_HOWDO_text.bmp

    Filesize

    3.5MB

    MD5

    5712470aac14e46b14679840f9bbaad6

    SHA1

    701ba35b5186de23695ff4c612e10e7d8985666a

    SHA256

    feea31824c902d9450208271cdb902a5169a44cf41c9446760c6779d8319001b

    SHA512

    f11e1a9ae954ef0a72743123954b0dc937adc4a7758bc2a71dcc43c2d39a41ae55777cedf39d41a1cf14031d728322f7a6bcf9cf8b3a497f8542a6580b30a121

  • C:\Users\Admin\Desktop\_HOWDO_text.html

    Filesize

    8KB

    MD5

    844f46a194471b4a01b9bf64579b2388

    SHA1

    c05d0b6d010e68e258e00e9f55134c4e3fcc338c

    SHA256

    4b52fc4a44e24c662be4c7a6c44f9a547f9f8d587adad4a8de9719b171c39d56

    SHA512

    939dc2680a390b964134d61aeef22d925b53691425bb3a75e14f51540e906023f8672ea5562f26fe9d0cc4262f6f9a2d4642e2c86745a1b461220e6d4068a00d

  • \Users\Admin\AppData\Local\Temp\nsyEA52.tmp\System.dll

    Filesize

    11KB

    MD5

    3e6bf00b3ac976122f982ae2aadb1c51

    SHA1

    caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

    SHA256

    4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

    SHA512

    1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

  • memory/800-57-0x00000000001C560B-mapping.dmp

  • memory/800-60-0x00000000001C0000-0x00000000001E7000-memory.dmp

    Filesize

    156KB

  • memory/800-61-0x0000000000210000-0x0000000000237000-memory.dmp

    Filesize

    156KB

  • memory/800-64-0x0000000000210000-0x0000000000237000-memory.dmp

    Filesize

    156KB

  • memory/896-63-0x0000000000000000-mapping.dmp

  • memory/912-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

    Filesize

    8KB

  • memory/912-56-0x00000000006D0000-0x00000000006F7000-memory.dmp

    Filesize

    156KB

  • memory/912-59-0x00000000006D0000-0x00000000006F7000-memory.dmp

    Filesize

    156KB