Overview

overview

10

Static

static

3

lockisdog.exe

windows7-x64

10

lockisdog.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2023 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lockisdog.exe

  • Size

    53KB

  • MD5

    58c8c8c3038a5fbca2202248a1101da0

  • SHA1

    d07e81d55f9fbc7702efb28ba2a37b855cb1cfbe

  • SHA256

    71e3fce98a6436cf6a771732e9556106a071d86236f752d4540f669bef058f9c

  • SHA512

    4ff4fb70971de46ea55e7f792760dc3bdb60912f537e5f201a05f070a0b09e82d6d3ca11389fa455e49702a44875d8423f49d0e31a543f480d71a9acb13bd3a7

  • SSDEEP

    768:83vuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YmUf:8TeytM3alnawrRIwxVSHMweio3+H

Score
10/10
globeimpostermedusalockerpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\Sample Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������34 3A 73 91 BF FD 05 E4 04 94 43 9B BD 6E EA 43 18 C8 EC D8 65 B9 D6 14 09 BB 86 C9 26 03 88 FF 9F 0D 0F 87 CA A0 4E A2 E4 B5 13 F3 74 39 E2 22 FE D2 FB EB 69 9B 28 B2 16 7B BE 05 38 7D 6B 04 A1 62 6A 93 8F 6F 06 73 DA CA AF 4B 10 88 03 DB 7D 1C 69 04 9E 46 35 91 2B 90 06 A4 50 3F AE 39 81 B7 19 87 DE 56 D9 BC FE 76 51 F7 DC 3D 6C 0E 92 82 47 B0 63 59 9A FF 6F 79 D5 36 95 44 9C FA 65 57 B8 73 05 D5 15 20 58 0C 0E 26 BA 91 8D 63 11 12 4E 01 31 EC 79 41 5A 3C F5 AE C2 CD D8 EF 95 66 B0 DD 49 B6 B5 BC D9 CE 30 1E DB 37 04 AF 9C 06 61 DD B6 93 4C CD C3 B4 FA 27 53 C4 98 FC 7C 7C F7 7C D5 14 C3 53 3B 6D 6A 28 DB 7E 92 8C 6E 36 A6 72 39 C0 50 DA 3B 7A 36 F6 12 57 B2 F0 AA 2E 4C A4 18 EA 09 80 1A A8 21 EE 77 5B 64 6B F6 70 3B 97 52 B3 85 CF C7 DE A8 C7 1E 8A 49 7B </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������

Extracted

Path

C:\Users\Admin\Desktop\how_to_back_files.html

Family

medusalocker

Ransom Note
Your personal ID: ����������34 3A 73 91 BF FD 05 E4 04 94 43 9B BD 6E EA 43 18 C8 EC D8 65 B9 D6 14 09 BB 86 C9 26 03 88 FF 9F 0D 0F 87 CA A0 4E A2 E4 B5 13 F3 74 39 E2 22 FE D2 FB EB 69 9B 28 B2 16 7B BE 05 38 7D 6B 04 A1 62 6A 93 8F 6F 06 73 DA CA AF 4B 10 88 03 DB 7D 1C 69 04 9E 46 35 91 2B 90 06 A4 50 3F AE 39 81 B7 19 87 DE 56 D9 BC FE 76 51 F7 DC 3D 6C 0E 92 82 47 B0 63 59 9A FF 6F 79 D5 36 95 44 9C FA 65 57 B8 73 05 D5 15 20 58 0C 0E 26 BA 91 8D 63 11 12 4E 01 31 EC 79 41 5A 3C F5 AE C2 CD D8 EF 95 66 B0 DD 49 B6 B5 BC D9 CE 30 1E DB 37 04 AF 9C 06 61 DD B6 93 4C CD C3 B4 FA 27 53 C4 98 FC 7C 7C F7 7C D5 14 C3 53 3B 6D 6A 28 DB 7E 92 8C 6E 36 A6 72 39 C0 50 DA 3B 7A 36 F6 12 57 B2 F0 AA 2E 4C A4 18 EA 09 80 1A A8 21 EE 77 5B 64 6B F6 70 3B 97 52 B3 85 CF C7 DE A8 C7 1E 8A 49 7B /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. .onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open .onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. �����������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lockisdog.exe
    "C:\Users\Admin\AppData\Local\Temp\lockisdog.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:2012
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\how_to_back_files.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    9868886f3d51c8bc2e1def90037ddcfa

    SHA1

    34852b562386091b75e55d5bb8a0e306477e9ba4

    SHA256

    71f475da5cf07b26d398a08ad010516fdbfd6d49e9443e00af26739c78bbc2de

    SHA512

    197160ac2c439f69513420b4758a34bfb3a08d6af3f40f50b579850f7484412448bde880a448b6566eca9698da815e8ea082b86fec0998ca8bab8bbbff4280fe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    ba30d0c77ddee22eca4c3ba789a6293a

    SHA1

    35535179d6307d9b07273482bbe94674d0f695fc

    SHA256

    1370efbada632c6d035393212647ed496828907901d688eaf81c7b9a06ea30ff

    SHA512

    2d35bf681b059fd68668ea67c89b0d1fd32a1100f035d7ed4bdf2a89e53c4bb1eb88af2c5d87eebea5a48ef70db46bd44f64df56b2103a72135b68f154a41177

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    755a92d493570c89885052ca0a81c1db

    SHA1

    019fb20b832b3f199e606cfd1b5aa8f9e24cb049

    SHA256

    845cce979a5bda97e058373aed3b8ecea5daad49d066e1d9f7ad93bbfd5627f6

    SHA512

    8b0826ca28f028ef859c2bc8dd52e6f47cd431391302eca29a847fa470fea206d390be3520df302203d268f6fdf5e1f32cfea9e6be5c2f38e765894daa46d5f7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    d787e03b1b625eeb8480adaf8fb15a12

    SHA1

    1259d7cfe4f69c9692ad5b3c2399b6649348bf1b

    SHA256

    f6c8fa82bb71b9407769e820e608edb3f6a69ce833a028d13c892352d6ef9842

    SHA512

    8d3f9f0f3fb2ff911a71b4f413c1e41d167fd7ed6605ddab4ac815925632289952db5d5633ef42586e923daea4f1cb925af0a567604b1145f33480cc691e4dab

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    d9fe5dac5a50437c02e96563aa7b82ca

    SHA1

    3519c0e4a8f1a780ddcdd554303389d89f8ed553

    SHA256

    87c96f19a4088814d5687d4fc4a2c19b70f4d4c9b6923838c9d8827bcbce39c1

    SHA512

    371932b8478f6ccae69edfec07a538ea12f6310dcaaeb5a257b9361f101765a9daf5d0d2135fdb59762bc800c7b848153eb1c721d7beb451a8547d9cd4ca8460

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    d1737eeee83647aa2bfb9fa53963ccc7

    SHA1

    e719a9ba9dfbda6d25a7ceb9fd5617891173af11

    SHA256

    5668e0ce0d1a064936c090743b3daea8b0b5fd4c3672c11e5a4caa6628be6240

    SHA512

    12895f2425008b9fb1ff815a3dadee0484825c214692b4c4c4102c72c498790ee30ee5089b7c3f795034e13b838b9b1f36fcecf41671e08558374a663c43323f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    904df9bb146cf9a13653760cda67d577

    SHA1

    4cd9fef2009516e744e3862789d73f797fc32f32

    SHA256

    9e4bfb5830c97e3ac54064022574b06c9138cb7cfb32aa2c522190aff6f7992b

    SHA512

    e619798de9f6965254e0b10dbeca10abd0730531fc55b4969e9a2c3050c590fdea5fb15d4dab721d2c0a9a2f84a67dc4891323d28a5aa1c5818eacce550cf357

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    53ad329cac52a468ebf2a2a56a1d7896

    SHA1

    e2e197810f452eb656a850c0ac88c025e07962fc

    SHA256

    88e5529ebb65cbafa1eaa31ac8d63f2e5e8a9a2beeefd110db69967d8c293878

    SHA512

    d9720245f3f6bc95e61002cbcd352b0c6418b6d5d1243250bdc64fe08d2cf527c0aebf9ce4d790ce362a51112364b336fccdc0bdc419b825a05709b891186bc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    4d96741caf016f825dabfdd862ff899f

    SHA1

    0100302ec6bea5dd18449dd2831fb232a28bfb27

    SHA256

    68cf9148da2f804e575505fa84680c3561750b3c04913a2b50989a62cc8be444

    SHA512

    1acb2483db2649db84923ad437cfdb7c5da56fa1973ee4d52c72dca5ab1f0a7f10cda588383ef1821e2b7ae05b7c732d6b4f2a1c85652d10c985f0ce3a5792a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab733E.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab73EF.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7460.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit

  • C:\Users\Admin\Desktop\how_to_back_files.html
    Filesize

    4KB

    MD5

    3c53e2208a7e97d5c91c277cbd9648f6

    SHA1

    788178ce36caed63557ae61ded8b380cf26e8cac

    SHA256

    58042329f3646222bed8cd5010e7f3772e1673ce6822c6f9015179db1de751a2

    SHA512

    b3c702a127d028c4f8572cd0f9fdaa6a359cf8d04ca9a957fbb86a24db7afb0f2fa2a15f3fbc8c4334568e0e7fa5e757c2ff2f37c08e021885de57ede7e1744b

    Download Submit

  • C:\Users\Public\Videos\Sample Videos\how_to_back_files.html
    Filesize

    4KB

    MD5

    3c53e2208a7e97d5c91c277cbd9648f6

    SHA1

    788178ce36caed63557ae61ded8b380cf26e8cac

    SHA256

    58042329f3646222bed8cd5010e7f3772e1673ce6822c6f9015179db1de751a2

    SHA512

    b3c702a127d028c4f8572cd0f9fdaa6a359cf8d04ca9a957fbb86a24db7afb0f2fa2a15f3fbc8c4334568e0e7fa5e757c2ff2f37c08e021885de57ede7e1744b

    Download Submit

  • memory/2012-105-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

    Download