Overview

overview

10

Static

static

3

b5466ce462...JC.exe

windows7-x64

10

b5466ce462...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2023 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe

  • Size

    169KB

  • MD5

    98562209465bec53327e65649a2b8829

  • SHA1

    3a47656ed3df213bd934aa01078a863568fe9f2b

  • SHA256

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

  • SHA512

    c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

  • SSDEEP

    3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score
10/10
lockyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\!!Read_Me.C16A8.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected]<br>[email protected]<br><br>Device ID:<br> AAwXyUjLw4yNyEjLwEDLTR1TYZVTSRELDdDN5Y0M2QkMzgDOGFDM2kDOyQUOzYDN2AzNFJjMzATRCRTRBNkMCVTMzEERzADO1cDN4ADOCZjN3IURxMUNEJjQxQUREhjQEhjQFRkR2YUM5cjQwQzNEZ0QDVUQ5YDMEZTN5UUO0EERDljQ4QzQ4MkN5QUQ4IDO5YkMxMzQwEDM4UEODNTM3MzQzUjNwUEM1IDM4QDRDhjMBZTN1ADO1cjQGFUO1YTNGNTN1EURBJTQFBTO5MEMFhzMEF0N2IUM4AjR1MER5QkRFBTRxkDRENDO5IDR5ATN0QjRFVzNDJzM0cTO3kjN5EDNBJjNDVDMDlDRCZ0M5AjQFdjQ1czNDFzMzQTQ2kTMyY0QBFzMFhDM0AjM1EkNEBzN0cjMCFEMERzNENjRxgDO0YzM2gjRFFUMDRUNwAjQ2ITRyEkM4MTRBVDM0MjM1EzMERUQEF0MEhDOCFEN3czMzMDODNUM0MjRElTO5kzQDljNFVEMzQUODhzNBV0MxIzM0UkR3YjRBREMDV0N0IEMDNTMzIUMDNkNyUTNyYUODlzMFdzNDZTN4IzQ2AjNzE0M2YjM3UDREVTQGNjMyAjRxETRzUEOCRkRDZENykjR4YDNDhzNGZkR3UUNzADN0UUNFBDRxQTMClTN2MEO1YEODJkQygDR3QEM5IEOBVDNDdDOEJ0QDJUO5QUN1UzMxYDN5MUNFdTNCVDRDdTODZDOzYUMChjRCNDRCdDOyEUNCNDR1cjQ4gTRFRzQDZTRxkjMyYzQCdDR3QTRGBTR3ITMwIDRBVERFZjR5QjN0cTNFBTQwIzQGZDMzYjMBFDOFR0NxQEN3IUM0EDRzMTM5UkR3kDOCVUQwUjM0IjQ4M0QGFEN0YDODZkRGBjNxITMEZ0MxAjNwMkRyMTOwYzQ1QTO4UTOwUUQygjRzUUNDJDR3ETM4QjRGNzNwcDOyUjRwUTNyYTMDRkNERUR2kDOwYDR1kjMCF0Q1cTR3YkN2IzM5YTOzQzQwM0MGJTMBRDOBZTNDJUR3cTNFdjR0gjM2AzNCdTRzgjN0MkN1czQzMkN3QDMBFURENkM3QEMzU0NzQzMzkTOwMkQ5gTR5Q0NCFkQzYUO3ATRDNzQ2QjNwEkQDJDODdjRGlTMBFUOyUTOzkzN3cTMxEzN0QENFdTO0UDOGlTRzEjR3MDMGBjN1IUQClzMwQzMxMjRDJUR5IDM1YzQFF0QBREM2Q0NzIzMwM0MyQkRGVjRFVzMElzNwczQzQTMBNkM4M0MzYUQyQTQyQTQFFDM4IER5ITNwQDM5EzQ0EjQCN0NzYDNDNEODZDM4cDNyYENFN0QDJDNwQTOCVUQ0UjNzQUREFzN5cTNDFURGRDOGFzMzwSQ3QURwATR3IkNDhzQEZDOycTN1E0NDVTRGNTR2kTM3UjQ1UkMGBjMwYzMwgjQyEDM4UEMDlTM1YDR3gjMCNzMxkTM3kjMygTRzcjQ2kzN5gjRFZEMwEUO1IzNxkzNERDRyEENCNzMBJUR5MkQ4YTRwIUO4MzNzUUO5kTQGdDO5ADREhzNygjNxUDOBhDNxYkRBJ0MGR0QBRkR1UUN5gjMCRERyATOGVTMxkzQyADR2ADR1E0MEZEO2kDO2YjMxY0Q5ADNyETM3QTMEVUN1YTNyEjN2UER3IzQwYDN1QTMzYTOFVEM0UTM3ITRCRjN4QjM3kTQGJTQCJDNxkDR5AjN3AjNwATMEFTNEljMwEUO2ADM0gTMwIUOCNUOGFER1EDRyEzMwEEMEJTN3UzQCJEM4YEODhjRGFURDdjR5MkR5IkN0QENxQEOBVkNDFURxkDOwEkQ2MTQxMUNEFEODBzNDdTR3IkN2IUO4cTMwUzN2kjNygjQ5EkM3E0N4UjR2QUMyU0N3EERwYzQ5IkNxIkMFFDRwcDOxUzQ2kjR2UUQyYDN4MURBFDOwUkRxQjN3ATMwkTNDlTNFJkQyIjREREOwU0M1AjR3kzQEFTR4cTO5ATQEFkQCNERGJkNwQDRDV0Q2M0NBdTOwkjR2QTQzczM2cDNyQkQ5cTRwEjNyMTN4QUOyUTQyYEO3YTNzYkNxUEO5gjQEVTO1ITQ5YURDJEMzIEOzQkRGFTMEFUQElTNCBjMwIEMCJkR5kjN1cjN2MTM0YTM0ETRyYTOEBzQxETO3ITO2EDO1ETQ0E0NGVDOGRkRFFEMENDRFF0NDhTRyYTNGFkM0IkMxI0NyQjN1ETNGljRGVTM0kDMBJUQGhTQGFDODVjQ1YENyYTNDNUREdjNGBTQCBzNCFDRzgDM2cTRwkjNxM0NCJTQFRjQwEjQ3E0QwIENxEUMxUkRxgjM3IEMDVjQFVkM4gjQGdTQDdjN3ADRxIkQGdjMClTNCZ0N3UjNBRENGhjNyMzNGFUR3E0NxEEN1ADMBVDO2IEMzgTQ3MzQCVjRElDO3IUQCFDO4kDNCdzN2EUQ4YjM5cDMCRDMCBzQDV0NFlTO0MEO5UkMEFEN1ATRGhjR4UEOFJTM0QzN4I0QxYjQGF0N5ATNyUkQ3EUNyQUQDRzQwQURDNUN0EUNBNTO1IUMBNkNFZERzEzQ2MkR0ETO0QDMDhjM5MTMFlDOBZzNFJUR1MTMEZURDBDRzkzNEFDOxkjNxYjQ0U0NwkTMDBjQ3UDRxUkMBhzQDhDR3QTRDZEOCZ0QyUTODRUR4QURBVUR3ETM3MTOBFUO3EjN3QkQ5gDRGNzQ2gDNDBjNCR0Q5QjMBJzN5IUO
Emails

[email protected]<br><br>

e-mail:<br>[email protected]<br>[email protected]<br><br>Device

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (137) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops file in Program Files directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 13 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4004
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:1860
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4976
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:5104
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c wmic shadowcopy delete /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im mys*
      2⤵
        PID:4060
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mys*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3624
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im post*
        2⤵
          PID:2612
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im post*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im vee*
          2⤵
            PID:4584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im vee*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2284
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im python*
            2⤵
              PID:3844
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im python*
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2916
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im java*
              2⤵
                PID:4240
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im java*
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2476
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im apache*
                2⤵
                  PID:4996
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im apache*
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3224
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im tomcat*
                  2⤵
                    PID:2640
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im tomcat*
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:336
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im sql*
                    2⤵
                      PID:4496
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im sql*
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2260
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im Exchange*
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2256
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im Exchange*
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:216
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im excel*
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:648
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im excel*
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2748
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im winword*
                      2⤵
                        PID:2648
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im winword*
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4800
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c taskkill /f /im powerpnt*
                        2⤵
                          PID:4816
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im powerpnt*
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4628
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c taskkill /f /im note*
                          2⤵
                            PID:4984
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im note*
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1364
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe_JC.exe
                            2⤵
                              PID:2268
                              • C:\Windows\SysWOW64\PING.EXE
                                ping 127.0.0.1
                                3⤵
                                • Runs ping.exe
                                PID:408
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5096

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\Favorites\!!Read_Me.C16A8.html
                            Filesize

                            4KB

                            MD5

                            81b284fed9c20fa4ab0968ac0a0d9a67

                            SHA1

                            3ad6c587482e01dff5af044288d85944ed21687f

                            SHA256

                            a5adc8ff23ca49e659cbe91bf9977eb0941e5649953779f182398913ad54256b

                            SHA512

                            25e91956d952ab7d384d89ba0c39e8200e257907a9c57d3561c7fc945e1050500248489671873f506de5b38d015a1277466ac1aa10a9c1ffcff1b0c917ed1543

                            Download Submit

                          • memory/2928-0-0x0000000010000000-0x000000001001C000-memory.dmp

                            Filesize

                            112KB

                            Download