Analysis
-
max time kernel
153s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 22:39
Static task
static1
Behavioral task
behavioral1
Sample
60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll
Resource
win10v2004-20220721-en
General
-
Target
60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll
-
Size
110KB
-
MD5
7e65a93663960c7c40c36953cbfb5f6f
-
SHA1
cd8b22a6c8dc5a3b9dd795824aa0b99359e63d94
-
SHA256
60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3
-
SHA512
0b674a73f5fbc4be14d951f3aadbed617310a2b21aa08489bab7bd07d57b1bcd812e411070e569af7fa5d3383264178c9e60dc03238a9d668b4464db8ed69782
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\PopInitialize.tiff rundll32.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1040 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1260 vssvc.exe Token: SeRestorePrivilege 1260 vssvc.exe Token: SeAuditPrivilege 1260 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exetaskeng.exedescription pid process target process PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 1064 wrote to memory of 1828 1064 rundll32.exe rundll32.exe PID 452 wrote to memory of 1040 452 taskeng.exe vssadmin.exe PID 452 wrote to memory of 1040 452 taskeng.exe vssadmin.exe PID 452 wrote to memory of 1040 452 taskeng.exe vssadmin.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60f634413cb2e27303ef7854667c967ae1253266bc19fc3331943e82d38fccf3.dll,#12⤵
- Modifies extensions of user files
PID:1828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
C:\Windows\system32\taskeng.exetaskeng.exe {2BE4A707-9C3B-4904-97A6-B357AED5EC01} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-60-0x0000000000000000-mapping.dmp
-
memory/1828-54-0x0000000000000000-mapping.dmp
-
memory/1828-55-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/1828-56-0x0000000074950000-0x0000000074979000-memory.dmpFilesize
164KB
-
memory/1828-57-0x0000000074920000-0x0000000074949000-memory.dmpFilesize
164KB
-
memory/1828-58-0x0000000074920000-0x0000000074949000-memory.dmpFilesize
164KB
-
memory/1828-61-0x0000000074950000-0x0000000074979000-memory.dmpFilesize
164KB
-
memory/1828-62-0x0000000074920000-0x0000000074949000-memory.dmpFilesize
164KB
-
memory/1828-63-0x0000000074950000-0x0000000074979000-memory.dmpFilesize
164KB