Analysis Overview
SHA256
a264021abf450d716b145735559ec169f7128597b1714da4f28c82f1570a9348
Threat Level: Known bad
The file 20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:20
Reported
2024-01-07 19:23
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe" | C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe" | C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Processes
C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe"
C:\Windows\explorer.exe
explorer.exe
Network
Files
memory/3032-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3032-1-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3032-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3032-6-0x0000000000400000-0x0000000000474000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:20
Reported
2024-01-07 19:23
Platform
win10v2004-20231222-en
Max time kernel
84s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe" | C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe" | C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Processes
C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240106c295a0ed45161f1129dbc81096e374d0ransomlock.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4548-0-0x0000000000690000-0x0000000000691000-memory.dmp
memory/4548-1-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4548-3-0x0000000000690000-0x0000000000691000-memory.dmp
memory/4548-4-0x0000000000400000-0x0000000000474000-memory.dmp