Analysis
-
max time kernel
110s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 15:03
Static task
static1
Behavioral task
behavioral1
Sample
locker.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
locker.exe
Resource
win10v2004-20220812-en
General
-
Target
locker.exe
-
Size
178KB
-
MD5
8d27d0c897ce21f1036bf659fc663cf2
-
SHA1
afe3d0fb48092aeca4dcd3989a076e87fdbe69b2
-
SHA256
139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1
-
SHA512
531873e8faaf801a447f70848969865750f41fd5ff15bd8c47015e766a9bb8cc1fbb8dcae16ddbf1e4f9dbc5750af593ef8fdcf94cd1a61efa00c7790cda4374
-
SSDEEP
3072:/gq2DKdMbv1S/n6rHBJK3V9LBSLrKa+HQXvMES/D3Yw7yZyYpEaI:/84X/19LUPMcMEw3kTI
Malware Config
Extracted
C:\warning !!!! Readme bl00dy Gang.txt
filedecryptionsupport@msgsafe.io
https://t.me/bl00dy_Ransomware_Gang
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReceiveStep.tiff => C:\Users\Admin\Pictures\ReceiveStep.tiff.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\CompressGrant.png => C:\Users\Admin\Pictures\CompressGrant.png.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\ExpandCompare.raw => C:\Users\Admin\Pictures\ExpandCompare.raw.bl00dy locker.exe File renamed C:\Users\Admin\Pictures\ExportConnect.crw => C:\Users\Admin\Pictures\ExportConnect.crw.bl00dy locker.exe File opened for modification C:\Users\Admin\Pictures\ReceiveStep.tiff locker.exe File renamed C:\Users\Admin\Pictures\RepairRead.raw => C:\Users\Admin\Pictures\RepairRead.raw.bl00dy locker.exe -
Drops startup file 1 IoCs
Processes:
locker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\warning !!!! Readme bl00dy Gang.txt locker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
Processes:
locker.exedescription ioc process File opened for modification C:\Users\Admin\3D Objects\desktop.ini locker.exe File opened for modification C:\Users\Public\Music\desktop.ini locker.exe File opened for modification C:\Users\Public\Videos\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification C:\Program Files (x86)\desktop.ini locker.exe File opened for modification C:\Users\Admin\Links\desktop.ini locker.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini locker.exe File opened for modification C:\Users\Admin\Music\desktop.ini locker.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini locker.exe File opened for modification C:\Users\Admin\Documents\desktop.ini locker.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini locker.exe File opened for modification C:\Users\Admin\Videos\desktop.ini locker.exe File opened for modification C:\Users\Public\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini locker.exe File opened for modification C:\Program Files\desktop.ini locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI locker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini locker.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini locker.exe File opened for modification C:\Users\Public\Libraries\desktop.ini locker.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini locker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini locker.exe File opened for modification C:\Users\Public\desktop.ini locker.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini locker.exe File opened for modification C:\Users\Admin\Searches\desktop.ini locker.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini locker.exe File opened for modification C:\Users\Public\Desktop\desktop.ini locker.exe File opened for modification C:\Users\Public\Documents\desktop.ini locker.exe File opened for modification C:\Users\Public\Pictures\desktop.ini locker.exe -
Drops file in Program Files directory 64 IoCs
Processes:
locker.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\warning !!!! Readme bl00dy Gang.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\ui-strings.js locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\warning !!!! Readme bl00dy Gang.txt locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml locker.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar locker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js locker.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png locker.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main-selector.css locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms locker.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\ui-strings.js locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO locker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h locker.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms locker.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\ui-strings.js locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif locker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\warning !!!! Readme bl00dy Gang.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt locker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML locker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg locker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js locker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
locker.exepid process 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe 4800 locker.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4592 vssvc.exe Token: SeRestorePrivilege 4592 vssvc.exe Token: SeAuditPrivilege 4592 vssvc.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: 36 1476 WMIC.exe Token: SeIncreaseQuotaPrivilege 1476 WMIC.exe Token: SeSecurityPrivilege 1476 WMIC.exe Token: SeTakeOwnershipPrivilege 1476 WMIC.exe Token: SeLoadDriverPrivilege 1476 WMIC.exe Token: SeSystemProfilePrivilege 1476 WMIC.exe Token: SeSystemtimePrivilege 1476 WMIC.exe Token: SeProfSingleProcessPrivilege 1476 WMIC.exe Token: SeIncBasePriorityPrivilege 1476 WMIC.exe Token: SeCreatePagefilePrivilege 1476 WMIC.exe Token: SeBackupPrivilege 1476 WMIC.exe Token: SeRestorePrivilege 1476 WMIC.exe Token: SeShutdownPrivilege 1476 WMIC.exe Token: SeDebugPrivilege 1476 WMIC.exe Token: SeSystemEnvironmentPrivilege 1476 WMIC.exe Token: SeRemoteShutdownPrivilege 1476 WMIC.exe Token: SeUndockPrivilege 1476 WMIC.exe Token: SeManageVolumePrivilege 1476 WMIC.exe Token: 33 1476 WMIC.exe Token: 34 1476 WMIC.exe Token: 35 1476 WMIC.exe Token: 36 1476 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
locker.execmd.exedescription pid process target process PID 4800 wrote to memory of 3336 4800 locker.exe cmd.exe PID 4800 wrote to memory of 3336 4800 locker.exe cmd.exe PID 3336 wrote to memory of 1476 3336 cmd.exe WMIC.exe PID 3336 wrote to memory of 1476 3336 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.exe"C:\Users\Admin\AppData\Local\Temp\locker.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7EB2A5C3-4BE6-4623-965C-46426EBC68C8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7EB2A5C3-4BE6-4623-965C-46426EBC68C8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken