Analysis
-
max time kernel
184s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 20:29
Behavioral task
behavioral1
Sample
3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe
Resource
win10v2004-20220812-en
General
-
Target
3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe
-
Size
48KB
-
MD5
52a7c2d7ccd1b933219dee6b494ff266
-
SHA1
993f529d4ed736de3105776f6bb2a0a33da7cc6e
-
SHA256
3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4
-
SHA512
ba2c31e41dfa7566fb7060f9e776d9426916613cbc25c8a3fede34a8228d2aea6af6f20cd8280ec5aa1add046124f9c00853ea1295a88bec421da5ca63c567b8
-
SSDEEP
768:x5btb1L0km+3k+IGFEIKK+dR7Lw5tKV47c1ruO3nG+5Yx3:LV1L0krdH2svolns
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4204 lockie.exe 2892 lock.exe -
resource yara_rule behavioral2/memory/924-132-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/files/0x0007000000022e1a-145.dat upx behavioral2/files/0x0007000000022e1a-147.dat upx behavioral2/memory/924-146-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2892-151-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/2892-162-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation lockie.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation lock.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run lock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LockDns = "C:\\Windows\\SysWOW64\\lock.exe /r" lock.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run lockie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LockIE = "C:\\Windows\\SysWOW64\\lockie.exe /r" lockie.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lockie.exe 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe File opened for modification C:\Windows\SysWOW64\lock.exe 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NavCheck lock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
pid Process 2092 ipconfig.exe 3468 ipconfig.exe 4148 ipconfig.exe 3132 ipconfig.exe 2824 ipconfig.exe 4316 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main lockie.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://hao.daohangbai.com" lockie.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4204 lockie.exe 4204 lockie.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 4204 lockie.exe 2892 lock.exe 2892 lock.exe 2892 lock.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 924 wrote to memory of 4204 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 77 PID 924 wrote to memory of 4204 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 77 PID 924 wrote to memory of 4204 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 77 PID 4204 wrote to memory of 2824 4204 lockie.exe 78 PID 4204 wrote to memory of 2824 4204 lockie.exe 78 PID 4204 wrote to memory of 2824 4204 lockie.exe 78 PID 4204 wrote to memory of 4004 4204 lockie.exe 80 PID 4204 wrote to memory of 4004 4204 lockie.exe 80 PID 4204 wrote to memory of 4004 4204 lockie.exe 80 PID 4004 wrote to memory of 5036 4004 cmd.exe 82 PID 4004 wrote to memory of 5036 4004 cmd.exe 82 PID 4004 wrote to memory of 5036 4004 cmd.exe 82 PID 924 wrote to memory of 2892 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 83 PID 924 wrote to memory of 2892 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 83 PID 924 wrote to memory of 2892 924 3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe 83 PID 2892 wrote to memory of 4316 2892 lock.exe 84 PID 2892 wrote to memory of 4316 2892 lock.exe 84 PID 2892 wrote to memory of 4316 2892 lock.exe 84 PID 4004 wrote to memory of 4208 4004 cmd.exe 87 PID 4004 wrote to memory of 4208 4004 cmd.exe 87 PID 4004 wrote to memory of 4208 4004 cmd.exe 87 PID 2892 wrote to memory of 2200 2892 lock.exe 86 PID 2892 wrote to memory of 2200 2892 lock.exe 86 PID 2892 wrote to memory of 2200 2892 lock.exe 86 PID 2200 wrote to memory of 2456 2200 cmd.exe 89 PID 2200 wrote to memory of 2456 2200 cmd.exe 89 PID 2200 wrote to memory of 2456 2200 cmd.exe 89 PID 2200 wrote to memory of 4348 2200 cmd.exe 90 PID 2200 wrote to memory of 4348 2200 cmd.exe 90 PID 2200 wrote to memory of 4348 2200 cmd.exe 90 PID 4004 wrote to memory of 1908 4004 cmd.exe 91 PID 4004 wrote to memory of 1908 4004 cmd.exe 91 PID 4004 wrote to memory of 1908 4004 cmd.exe 91 PID 2200 wrote to memory of 1484 2200 cmd.exe 92 PID 2200 wrote to memory of 1484 2200 cmd.exe 92 PID 2200 wrote to memory of 1484 2200 cmd.exe 92 PID 4004 wrote to memory of 932 4004 cmd.exe 93 PID 4004 wrote to memory of 932 4004 cmd.exe 93 PID 4004 wrote to memory of 932 4004 cmd.exe 93 PID 2200 wrote to memory of 2632 2200 cmd.exe 94 PID 2200 wrote to memory of 2632 2200 cmd.exe 94 PID 2200 wrote to memory of 2632 2200 cmd.exe 94 PID 4004 wrote to memory of 2092 4004 cmd.exe 95 PID 4004 wrote to memory of 2092 4004 cmd.exe 95 PID 4004 wrote to memory of 2092 4004 cmd.exe 95 PID 4204 wrote to memory of 3468 4204 lockie.exe 100 PID 4204 wrote to memory of 3468 4204 lockie.exe 100 PID 4204 wrote to memory of 3468 4204 lockie.exe 100 PID 2892 wrote to memory of 4148 2892 lock.exe 108 PID 2892 wrote to memory of 4148 2892 lock.exe 108 PID 2892 wrote to memory of 4148 2892 lock.exe 108 PID 4204 wrote to memory of 3132 4204 lockie.exe 110 PID 4204 wrote to memory of 3132 4204 lockie.exe 110 PID 4204 wrote to memory of 3132 4204 lockie.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe"C:\Users\Admin\AppData\Local\Temp\3bc137f0fcc20884118ddb93e00c68c773dbcc95726fb22d29d93fd17fc774f4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\lockie.exeC:\Windows\system32\lockie.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all3⤵
- Gathers network information
PID:2824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\netsh.exenetsh interface ip set dns name="????" source=static addr=59.188.236.57 register=PRIMARY4⤵PID:5036
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip add dns name="????" addr=174.139.171.34 index=24⤵PID:4208
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip set dns name="??????" source=static addr=59.188.236.57 register=PRIMARY4⤵PID:1908
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip add dns name="??????" addr=174.139.171.34 index=24⤵PID:932
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:2092
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all3⤵
- Gathers network information
PID:3468
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all3⤵
- Gathers network information
PID:3132
-
-
-
C:\Windows\SysWOW64\lock.exeC:\Windows\system32\lock.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all3⤵
- Gathers network information
PID:4316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AutoDns.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\netsh.exenetsh interface ip set dns name="????" source=static addr=59.188.236.57 register=PRIMARY4⤵PID:2456
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip add dns name="????" addr=174.139.171.34 index=24⤵PID:4348
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip set dns name="??????" source=static addr=59.188.236.57 register=PRIMARY4⤵PID:1484
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip add dns name="??????" addr=174.139.171.34 index=24⤵PID:2632
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all3⤵
- Gathers network information
PID:4148
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348B
MD5b7e7fbbe645f83272fec08c0c0d6b7d8
SHA156f2f0a9eb409c7d499fa0852bcf9deded7c30b1
SHA25684d1b9f2ba89006a4e30cde170d09f4b3b0789ad24871773c10d1c65ba9af15f
SHA51204aaabd3b6264fe6fdecf1e94aed580aee430d64c66f315c20708e32b4b540c2c7da46a34ff5868a85238e349e117322432fa5a2ac392f943523abebc5cbb745
-
Filesize
348B
MD5b7e7fbbe645f83272fec08c0c0d6b7d8
SHA156f2f0a9eb409c7d499fa0852bcf9deded7c30b1
SHA25684d1b9f2ba89006a4e30cde170d09f4b3b0789ad24871773c10d1c65ba9af15f
SHA51204aaabd3b6264fe6fdecf1e94aed580aee430d64c66f315c20708e32b4b540c2c7da46a34ff5868a85238e349e117322432fa5a2ac392f943523abebc5cbb745
-
Filesize
12KB
MD57c52700d9c5db9da1b8216be15fff896
SHA1945e77767ca9ce9957ac5e5493c7af3a089a7bbc
SHA256fe41eb8643312ee2fa36ebb449c9fee5731d429160d7f545fa803d0e57b8d9e9
SHA51234d46ae85b3a22a6959c7e695b619f763bfe009c2a8de7868dd7989414f801c78059afb1a630cf4b8651125682587dc4ffa02208043b82398356b76691949b5e
-
Filesize
12KB
MD57c52700d9c5db9da1b8216be15fff896
SHA1945e77767ca9ce9957ac5e5493c7af3a089a7bbc
SHA256fe41eb8643312ee2fa36ebb449c9fee5731d429160d7f545fa803d0e57b8d9e9
SHA51234d46ae85b3a22a6959c7e695b619f763bfe009c2a8de7868dd7989414f801c78059afb1a630cf4b8651125682587dc4ffa02208043b82398356b76691949b5e
-
Filesize
52KB
MD5b9c47303bc52b06691f69d22b00917a3
SHA1a913a09f6423714f6004ffbf594cb0932542d465
SHA25604826935820484b10460a00c372df4cf2b8b14098902a92a7cbd93078fb2df44
SHA51247ecd123f6afb55c43410a00ddc76c918206131f387b0da618a32fd8b17ed3a3d429dc2f57ab3815b0f91886fd99378cf16466d11174a41c98b5f4fd601a7090
-
Filesize
52KB
MD5b9c47303bc52b06691f69d22b00917a3
SHA1a913a09f6423714f6004ffbf594cb0932542d465
SHA25604826935820484b10460a00c372df4cf2b8b14098902a92a7cbd93078fb2df44
SHA51247ecd123f6afb55c43410a00ddc76c918206131f387b0da618a32fd8b17ed3a3d429dc2f57ab3815b0f91886fd99378cf16466d11174a41c98b5f4fd601a7090