Overview

overview

10

Static

static

60f634413c...f3.dll

windows7-x64

10

60f634413c...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2022 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll

  • Size

    110KB

  • MD5

    7e65a93663960c7c40c36953cbfb5f6f

  • SHA1

    cd8b22a6c8dc5a3b9dd795824aa0b99359e63d94

  • SHA256

    60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3

  • SHA512

    0b674a73f5fbc4be14d951f3aadbed617310a2b21aa08489bab7bd07d57b1bcd812e411070e569af7fa5d3383264178c9e60dc03238a9d668b4464db8ed69782

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll,#1
      2⤵
      • Modifies extensions of user files
      PID:1828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1260
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2BE4A707-9C3B-4904-97A6-B357AED5EC01} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:1040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1040-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1828-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1828-55-0x00000000751C1000-0x00000000751C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1828-56-0x0000000074950000-0x0000000074979000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1828-57-0x0000000074920000-0x0000000074949000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1828-58-0x0000000074920000-0x0000000074949000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1828-61-0x0000000074950000-0x0000000074979000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1828-62-0x0000000074920000-0x0000000074949000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1828-63-0x0000000074950000-0x0000000074979000-memory.dmp
    Filesize

    164KB

    Download