Analysis
-
max time kernel
137s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 03:12
General
-
Target
423dc1aaaed311349f9932a643a032d18f0589b97275b501a7a7f6955f5aac46.exe
-
Size
756KB
-
MD5
a4872e4fe84e5adcc49ba4c641547821
-
SHA1
38fbc212ba2fde3dc0d9f3e9fa27df1411604398
-
SHA256
423dc1aaaed311349f9932a643a032d18f0589b97275b501a7a7f6955f5aac46
-
SHA512
49ac155e08532ee109d62b8105b14a94cd00b29999e4d49356f72157bea87dd0ee4b1b7d059cd6d7cc08711b2db83bde20824ada64e7b4acb611465d32358ca4
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\423dc1aaaed311349f9932a643a032d18f0589b97275b501a7a7f6955f5aac46.exe"C:\Users\Admin\AppData\Local\Temp\423dc1aaaed311349f9932a643a032d18f0589b97275b501a7a7f6955f5aac46.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\asasin.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\423dc1aaaed311349f9932a643a032d18f0589b97275b501a7a7f6955f5aac46.exe"2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {0EE1D346-F158-441F-83B8-0D75E9AA8711} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5362de796184678d6c9cc622b37c3bb79
SHA1a5e88c90913f6d3b20fa6625e5963f4ec2ad93b3
SHA2563528e486463ebf132e9252877d73bf7f1a050cc2315b4a56d392ea5e98d0f8a3
SHA512cd14dedea77ef31d9f8f775846caf8a554c289527ea688bf2f800c7cb4ac9a10235ec7c483078eb3046a471d0d08ccae69a8e741fa9e232315ed6715134c59b2
-
Filesize
8KB
MD529208885627fc675d1675763b76bf2d4
SHA1444b20d443df7068a189e3cde2ebe6a259edab81
SHA2566e8c46e055ed76555d185b350444b43933c42a3dd7432a1a86ad09482aede4e5
SHA5120b2f7324e5c14b57091af10701d740f7f988b7f06bf7adf3f062ffb148a7e725d5a491a944013d08ef5674d1c5c0cffed9a912d2f584d40fc9aeaef4d5b5635e
-
Filesize
8KB
-
Filesize
772KB
-
Filesize
548KB
