Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe
Resource
win10v2004-20220414-en
General
-
Target
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe
-
Size
756KB
-
MD5
8fb63c10eb2c656dafe47e854906d29b
-
SHA1
ae45c8e53bbc6e094e12c44bad0da44eb357ca36
-
SHA256
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867
-
SHA512
baa533df470d47aacb6274c193bc34ddace60957dbcddc39aa130cb11b74ec7ce25d051347c80c19a10ddfab854595b52c8a88b35134eb8b79ae177b49688718
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\ResolveApprove.tiff 48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1656 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exevssvc.exedescription pid process Token: SeDebugPrivilege 1556 48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe Token: SeTakeOwnershipPrivilege 1556 48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe Token: SeBackupPrivilege 1556 48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe Token: SeRestorePrivilege 1556 48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe Token: SeBackupPrivilege 1708 vssvc.exe Token: SeRestorePrivilege 1708 vssvc.exe Token: SeAuditPrivilege 1708 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 864 wrote to memory of 1656 864 taskeng.exe vssadmin.exe PID 864 wrote to memory of 1656 864 taskeng.exe vssadmin.exe PID 864 wrote to memory of 1656 864 taskeng.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe"C:\Users\Admin\AppData\Local\Temp\48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867.exe"1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {7CC012D3-9E83-4050-821B-1D8572778302} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1556-54-0x0000000075541000-0x0000000075543000-memory.dmpFilesize
8KB
-
memory/1556-55-0x0000000000AB0000-0x0000000000B71000-memory.dmpFilesize
772KB
-
memory/1556-58-0x0000000000870000-0x00000000008F9000-memory.dmpFilesize
548KB
-
memory/1656-59-0x0000000000000000-mapping.dmp