Overview

overview

10

Static

static

0d80447ad5...37.exe

windows7_x64

10

0d80447ad5...37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1604s
  • max time network
    1608s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe

  • Size

    249KB

  • MD5

    1cc0cca4d5d49aba352f4cc93aed3f6f

  • SHA1

    e7db8694074d1a2c7ac097eff4c085debe389d73

  • SHA256

    0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537

  • SHA512

    fa127310e53e2bb80f6ea27574e2a28eddd180df0ce00fe49d53f4ba508550f5100943a4db8ac1a786468acada99fe0b1476b73417d8fa4d0349eb62a390a29e

Score
10/10
lockyransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata
  • suricata: ET MALWARE Locky CnC checkin Nov 21

    suricata: ET MALWARE Locky CnC checkin Nov 21

    suricata
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe
    "C:\Users\Admin\AppData\Local\Temp\0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe
      "C:\Users\Admin\AppData\Local\Temp\0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe"
      2⤵
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_WHAT_is.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:792
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\0d80447ad564ffd0c40cc71213787f823de1b058dc1aa856aa67f438dd51d537.exe"
        3⤵
        • Deletes itself
        PID:1052
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PSVK9BV2.txt
    Filesize

    604B

    MD5

    5e42b0de13a79f14fa4b0b97e4a6647a

    SHA1

    8a605d0ea264fddb1f23eb50cc8f51c1760a4e79

    SHA256

    2466e973c67bebadc31c7042a1895803db45306606b1865a0309785bd57c81da

    SHA512

    577a956a3291c346277d339576399438247c3ad880c7356f39cac1e76e974ea4259c6102c02a0703458e4706b462fa509fb0fe9e7bf053b5c204644368d9edf8

    Download Submit
  • C:\Users\Admin\Desktop\_WHAT_is.bmp
    Filesize

    3.5MB

    MD5

    bb3fcb97de9e73c1ab7625659e5ead6c

    SHA1

    9de2c2b5f4d6debbaea8ea465582495e940a10de

    SHA256

    7297ddf0513cb26bcf12e9860896355e152604fcb27706ac9fd3df349935c535

    SHA512

    747433deb42f58bc195a1159ce0c7b2d0ca5a8bc5b811da5ae3f73b4f85bad5de6a800b7967efc80da03aeba03d1b2755fedcd22f1c9038b66570c63c306135b

    Download Submit
  • C:\Users\Admin\Desktop\_WHAT_is.html
    Filesize

    9KB

    MD5

    18c8982d20ba5e153f13dfd4323027a7

    SHA1

    cc0acf4eef77f0ec7fe7fd12cd4deea4fdba89c4

    SHA256

    c2ab0c305c37c70bfeb46c5bede8fdef1a3ba37ef683390aa6c8f5ad00efaead

    SHA512

    6c32f85d92be771b049c9aeb463fbe071144ed8ef866d311b81d812daa933bcdda0226aa8a0c657ef67f89795c353d97ed4a9671d12d0258d36d64684478d847

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsy2178.tmp\System.dll
    Filesize

    11KB

    MD5

    a4dd044bcd94e9b3370ccf095b31f896

    SHA1

    17c78201323ab2095bc53184aa8267c9187d5173

    SHA256

    2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    SHA512

    87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    Download Submit
  • memory/1052-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-54-0x0000000076C01000-0x0000000076C03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1276-56-0x0000000001E90000-0x0000000001EB8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1276-59-0x0000000001E90000-0x0000000001EB8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1968-57-0x00000000001D5673-mapping.dmp
    Download
  • memory/1968-60-0x00000000001D0000-0x00000000001F7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1968-61-0x0000000000290000-0x00000000002B7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1968-64-0x0000000000290000-0x00000000002B7000-memory.dmp
    Filesize

    156KB

    Download