Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
Resource
win10v2004-20231215-en
General
-
Target
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
-
Size
1.3MB
-
MD5
9c4cf5de0f3b3b30580b293df06a8bfc
-
SHA1
0d6f67856bc7769dd1f312a92ce42ea6dd42f1b2
-
SHA256
e86126285765e75589f3e068ea6120e27d59b523595dfe1c333f1e89d5d235a2
-
SHA512
0e6c38ae91b99438feda96789701862559c510595efbff665d4ae2176370c16f88d46ddfc45845b3ad01a7fcc67a478868fffdb0be647f24a24eb203af312959
-
SSDEEP
24576:Iw8gCCgWDAe1wLiBnGHpq0Iylpn0oCcTQ0Ev:58g3nuEUr0rcTI
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Sets file execution options in registry 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "\"cmd.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe\"" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Token: SeRestorePrivilege 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1272 wrote to memory of 3036 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 21 PID 1272 wrote to memory of 3036 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 21 PID 1272 wrote to memory of 3036 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 21 PID 1272 wrote to memory of 3036 1272 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 21 PID 3036 wrote to memory of 2924 3036 cmd.exe 19 PID 3036 wrote to memory of 2924 3036 cmd.exe 19 PID 3036 wrote to memory of 2924 3036 cmd.exe 19 PID 3008 wrote to memory of 2760 3008 taskeng.exe 32 PID 3008 wrote to memory of 2760 3008 taskeng.exe 32 PID 3008 wrote to memory of 2760 3008 taskeng.exe 32 PID 3008 wrote to memory of 2760 3008 taskeng.exe 32 PID 3008 wrote to memory of 2308 3008 taskeng.exe 36 PID 3008 wrote to memory of 2308 3008 taskeng.exe 36 PID 3008 wrote to memory of 2308 3008 taskeng.exe 36 PID 3008 wrote to memory of 2308 3008 taskeng.exe 36 PID 3008 wrote to memory of 2700 3008 taskeng.exe 37 PID 3008 wrote to memory of 2700 3008 taskeng.exe 37 PID 3008 wrote to memory of 2700 3008 taskeng.exe 37 PID 3008 wrote to memory of 2700 3008 taskeng.exe 37 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe"C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe"1⤵
- UAC bypass
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
PID:3036
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE6804A4-176C-4265-96FC-A53F00C49AEB} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe2⤵PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe2⤵PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe2⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe explorer.exe1⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1