Analysis
-
max time kernel
0s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
Resource
win10v2004-20231215-en
General
-
Target
202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
-
Size
1.3MB
-
MD5
9c4cf5de0f3b3b30580b293df06a8bfc
-
SHA1
0d6f67856bc7769dd1f312a92ce42ea6dd42f1b2
-
SHA256
e86126285765e75589f3e068ea6120e27d59b523595dfe1c333f1e89d5d235a2
-
SHA512
0e6c38ae91b99438feda96789701862559c510595efbff665d4ae2176370c16f88d46ddfc45845b3ad01a7fcc67a478868fffdb0be647f24a24eb203af312959
-
SSDEEP
24576:Iw8gCCgWDAe1wLiBnGHpq0Iylpn0oCcTQ0Ev:58g3nuEUr0rcTI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe Token: SeRestorePrivilege 4048 202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe"C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" /rl HIGHEST /f2⤵PID:468
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:792
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exeC:\Users\Admin\AppData\Local\Temp\202401069c4cf5de0f3b3b30580b293df06a8bfcransomlock.exe1⤵PID:4072