Analysis
-
max time kernel
149s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 06:58
Static task
static1
Behavioral task
behavioral1
Sample
3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df.exe
Resource
win10v2004-20220414-en
General
-
Target
3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df.exe
-
Size
590KB
-
MD5
75e9203373579458f51c3082a9c142ae
-
SHA1
9272c5e3d29311eacf6cb1f10c9dfa7c63ad7ada
-
SHA256
3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df
-
SHA512
d13eeb86ee1dcc8816a3fa78c4daa44f80ed15558ec0735405bd1bfa5015515d0a617d4d5c4ce82ef5168acd796ac85ec95273b16e412852eb4ea7cfb506eac1
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1600 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 968 vssvc.exe Token: SeRestorePrivilege 968 vssvc.exe Token: SeAuditPrivilege 968 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 580 wrote to memory of 1600 580 taskeng.exe vssadmin.exe PID 580 wrote to memory of 1600 580 taskeng.exe vssadmin.exe PID 580 wrote to memory of 1600 580 taskeng.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df.exe"C:\Users\Admin\AppData\Local\Temp\3c968374fb5f51d095b4736b7a4db42b9573171c524a1a1e37a1efdfc14125df.exe"1⤵PID:1880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\taskeng.exetaskeng.exe {9801EFCD-929A-4183-BBFA-F1F139BACF54} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1600-57-0x0000000000000000-mapping.dmp
-
memory/1880-55-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/1880-54-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/1880-56-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB