Overview

overview

10

Static

static

df255af635...67.exe

windows7_x64

10

df255af635...67.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df255af635a2dde04c031db95862f11e1bf44fe5cfc10d3b20bd4678ed818567.exe

  • Size

    623KB

  • MD5

    c24a08bfeb09c9842b8e6578d7b0b721

  • SHA1

    937a77b8ad27217b346922cb5513458542e3d390

  • SHA256

    df255af635a2dde04c031db95862f11e1bf44fe5cfc10d3b20bd4678ed818567

  • SHA512

    42717c37604b41fff2bae91a22037f0e2b1d3514a8305d672595930f331a6a998d1a88741585413977ee81cd59ab155faf19ae654d229dc0256e30d71b222799

Score
10/10
lockypersistenceransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df255af635a2dde04c031db95862f11e1bf44fe5cfc10d3b20bd4678ed818567.exe
    "C:\Users\Admin\AppData\Local\Temp\df255af635a2dde04c031db95862f11e1bf44fe5cfc10d3b20bd4678ed818567.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:556
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\df255af635a2dde04c031db95862f11e1bf44fe5cfc10d3b20bd4678ed818567.exe"
      2⤵
      • Deletes itself
      PID:1536
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\asasin.bmp
    Filesize

    3.5MB

    MD5

    dfe7ab73072614daa14f42edd9bf48e9

    SHA1

    66a52d869e59620da90525531bb2ff050ba850ce

    SHA256

    3c6c8ce0ac6302ee219bcadf7a67086349fdb20c5a8405938e2a5f6cba9a701a

    SHA512

    31a28accba9abddaf3bd6216ff5ae03061999f86549efb302d3160659db91d0e9800fec10bef98c51d2fd23915d8b0af1f65504726a6695b64319fbdece03ed1

    Download Submit

  • C:\Users\Admin\Desktop\asasin.htm
    Filesize

    8KB

    MD5

    751552b4468b3896e00f6f475ca0c602

    SHA1

    258e79bf1918a326b87c6535231952ade2afd72e

    SHA256

    ba5fb21b3288c55428ac548e75c6ff9fdd35772a30a99bce1be24a78c6e0df4a

    SHA512

    3eae870e5309e58f42ab7f1f09d63d88ad01c941dd6e7f864e6d353c3fd863962198ca1b6e158e96a2291081dffb0c9f5f0c9332d6b03ea33e737b989651d4ea

    Download Submit

  • memory/1536-61-0x0000000000000000-mapping.dmp

    Download

  • memory/2004-54-0x0000000076191000-0x0000000076193000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-55-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2004-56-0x0000000000400000-0x00000000004A2C94-memory.dmp

    Filesize

    651KB

    Download

  • memory/2004-58-0x0000000000400000-0x00000000004A2C94-memory.dmp

    Filesize

    651KB

    Download

  • memory/2004-59-0x0000000000400000-0x00000000004A2C94-memory.dmp

    Filesize

    651KB

    Download

  • memory/2004-62-0x0000000000400000-0x00000000004A2C94-memory.dmp

    Filesize

    651KB

    Download