Overview

overview

10

Static

static

c127b95c9d...30.exe

windows7_x64

10

c127b95c9d...30.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1620s
  • max time network
    1623s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe

  • Size

    206KB

  • MD5

    f08c3b7ace25f1ce76bebd3429762ef8

  • SHA1

    8a6585bafa9ed8341051c062b149242b727fd8b0

  • SHA256

    c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30

  • SHA512

    aff55b078294628e4b992a423ce80b32c288eca28b160d4e6e23f6dd01cb2d48c26a8a45db9d8a14e21a73506d7e1b1cafdbe072192193181de38be62acb4dc6

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe
    "C:\Users\Admin\AppData\Local\Temp\c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe
      "C:\Users\Admin\AppData\Local\Temp\c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe"
      2⤵
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HOWDO_text.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1544 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c127b95c9d4710e862ca8b477928b78b43bcfb6655c27462a7c644daac1e3c30.exe"
        3⤵
        • Deletes itself
        PID:324
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UC2MFVN8.txt
    Filesize

    599B

    MD5

    1ab1fc74cae8a90b8a6b451a4f721720

    SHA1

    1e8193bb5b05468e1ba5ef458ae8d84ff2235ae3

    SHA256

    36adba10efbe7ed80b6cdd38fce8dc12541b5a9384ddbb21b0a254fe5467b233

    SHA512

    8c6cc915a34423c9583ba376d97c8e58c4d574bb820141054b97b1ea7aeb7aba43bd81cc1dc8ffb70d754b6939b27ff607b86da997f0bd8bd809a7eae21e8bda

    Download Submit
  • C:\Users\Admin\Desktop\_HOWDO_text.bmp
    Filesize

    3.5MB

    MD5

    5712470aac14e46b14679840f9bbaad6

    SHA1

    701ba35b5186de23695ff4c612e10e7d8985666a

    SHA256

    feea31824c902d9450208271cdb902a5169a44cf41c9446760c6779d8319001b

    SHA512

    f11e1a9ae954ef0a72743123954b0dc937adc4a7758bc2a71dcc43c2d39a41ae55777cedf39d41a1cf14031d728322f7a6bcf9cf8b3a497f8542a6580b30a121

    Download Submit
  • C:\Users\Admin\Desktop\_HOWDO_text.html
    Filesize

    8KB

    MD5

    844f46a194471b4a01b9bf64579b2388

    SHA1

    c05d0b6d010e68e258e00e9f55134c4e3fcc338c

    SHA256

    4b52fc4a44e24c662be4c7a6c44f9a547f9f8d587adad4a8de9719b171c39d56

    SHA512

    939dc2680a390b964134d61aeef22d925b53691425bb3a75e14f51540e906023f8672ea5562f26fe9d0cc4262f6f9a2d4642e2c86745a1b461220e6d4068a00d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsyE9B6.tmp\System.dll
    Filesize

    11KB

    MD5

    3e6bf00b3ac976122f982ae2aadb1c51

    SHA1

    caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

    SHA256

    4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

    SHA512

    1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

    Download Submit
  • memory/324-63-0x0000000000000000-mapping.dmp
    Download
  • memory/700-57-0x00000000001C560B-mapping.dmp
    Download
  • memory/700-60-0x00000000001C0000-0x00000000001E7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/700-61-0x0000000000280000-0x00000000002A7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/700-64-0x0000000000280000-0x00000000002A7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1948-54-0x0000000076721000-0x0000000076723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-56-0x0000000000450000-0x0000000000477000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1948-59-0x0000000000450000-0x0000000000477000-memory.dmp
    Filesize

    156KB

    Download