Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 06:14
Static task
static1
Behavioral task
behavioral1
Sample
81ad0943b90b4dedbb6fd76278055c84.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
81ad0943b90b4dedbb6fd76278055c84.exe
Resource
win10v2004-20231215-en
General
-
Target
81ad0943b90b4dedbb6fd76278055c84.exe
-
Size
1.7MB
-
MD5
81ad0943b90b4dedbb6fd76278055c84
-
SHA1
4ba545ae626fcaba16ad4cbd8a0c2417c2b8db6f
-
SHA256
59e95c1c9dffd0f2b5a5b8a05b7e0f63d2d1582a582b0d11a399b0ca98816f83
-
SHA512
cacba5f3443da58c02e3cc39ac7a9c18699dc9ad5c0c51b547a5bdcd0a29552acbd5f5ead821d5d9fa2651cc4a38eb442f2dded06bf3217d1bddd682171a2703
-
SSDEEP
24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaWh/BRg+Z7UDf0cGbiKdT/ZhGdx3rTERdjrb6:kh+ZkldoPK8YaWh/Ybr0j+KdThQbkzu
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Executes dropped EXE 5 IoCs
Processes:
setacl.exesetacl.exesetacl.exesetacl.exesetacl.exepid process 2736 setacl.exe 3012 setacl.exe 2760 setacl.exe 2628 setacl.exe 2612 setacl.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2864 cmd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
81ad0943b90b4dedbb6fd76278055c84.exedescription ioc process File opened (read-only) \??\m: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\n: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\p: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\r: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\a: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\b: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\g: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\k: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\t: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\x: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\w: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\o: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\q: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\s: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\v: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\u: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\y: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\z: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\e: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\i: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\j: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\l: 81ad0943b90b4dedbb6fd76278055c84.exe File opened (read-only) \??\h: 81ad0943b90b4dedbb6fd76278055c84.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
81ad0943b90b4dedbb6fd76278055c84.exepid process 1204 81ad0943b90b4dedbb6fd76278055c84.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
setacl.exesetacl.exesetacl.exesetacl.exesetacl.exedescription pid process Token: SeBackupPrivilege 2736 setacl.exe Token: SeRestorePrivilege 2736 setacl.exe Token: SeTakeOwnershipPrivilege 2736 setacl.exe Token: SeBackupPrivilege 3012 setacl.exe Token: SeRestorePrivilege 3012 setacl.exe Token: SeTakeOwnershipPrivilege 3012 setacl.exe Token: SeBackupPrivilege 2760 setacl.exe Token: SeRestorePrivilege 2760 setacl.exe Token: SeTakeOwnershipPrivilege 2760 setacl.exe Token: SeBackupPrivilege 2628 setacl.exe Token: SeRestorePrivilege 2628 setacl.exe Token: SeTakeOwnershipPrivilege 2628 setacl.exe Token: SeBackupPrivilege 2612 setacl.exe Token: SeRestorePrivilege 2612 setacl.exe Token: SeTakeOwnershipPrivilege 2612 setacl.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
81ad0943b90b4dedbb6fd76278055c84.execmd.exenet.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1204 wrote to memory of 3004 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 3004 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 3004 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 3004 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 3004 wrote to memory of 2172 3004 cmd.exe net.exe PID 3004 wrote to memory of 2172 3004 cmd.exe net.exe PID 3004 wrote to memory of 2172 3004 cmd.exe net.exe PID 3004 wrote to memory of 2172 3004 cmd.exe net.exe PID 2172 wrote to memory of 2720 2172 net.exe net1.exe PID 2172 wrote to memory of 2720 2172 net.exe net1.exe PID 2172 wrote to memory of 2720 2172 net.exe net1.exe PID 2172 wrote to memory of 2720 2172 net.exe net1.exe PID 1204 wrote to memory of 2864 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2864 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2864 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2864 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 2864 wrote to memory of 2736 2864 cmd.exe setacl.exe PID 2864 wrote to memory of 2736 2864 cmd.exe setacl.exe PID 2864 wrote to memory of 2736 2864 cmd.exe setacl.exe PID 2864 wrote to memory of 2736 2864 cmd.exe setacl.exe PID 1204 wrote to memory of 2588 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2588 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2588 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2588 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 2588 wrote to memory of 3012 2588 cmd.exe setacl.exe PID 2588 wrote to memory of 3012 2588 cmd.exe setacl.exe PID 2588 wrote to memory of 3012 2588 cmd.exe setacl.exe PID 2588 wrote to memory of 3012 2588 cmd.exe setacl.exe PID 1204 wrote to memory of 2332 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2332 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2332 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2332 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 2332 wrote to memory of 2760 2332 cmd.exe setacl.exe PID 2332 wrote to memory of 2760 2332 cmd.exe setacl.exe PID 2332 wrote to memory of 2760 2332 cmd.exe setacl.exe PID 2332 wrote to memory of 2760 2332 cmd.exe setacl.exe PID 1204 wrote to memory of 2716 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2716 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2716 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2716 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 2716 wrote to memory of 2628 2716 cmd.exe setacl.exe PID 2716 wrote to memory of 2628 2716 cmd.exe setacl.exe PID 2716 wrote to memory of 2628 2716 cmd.exe setacl.exe PID 2716 wrote to memory of 2628 2716 cmd.exe setacl.exe PID 1204 wrote to memory of 2576 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2576 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2576 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 1204 wrote to memory of 2576 1204 81ad0943b90b4dedbb6fd76278055c84.exe cmd.exe PID 2576 wrote to memory of 2612 2576 cmd.exe setacl.exe PID 2576 wrote to memory of 2612 2576 cmd.exe setacl.exe PID 2576 wrote to memory of 2612 2576 cmd.exe setacl.exe PID 2576 wrote to memory of 2612 2576 cmd.exe setacl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81ad0943b90b4dedbb6fd76278055c84.exe"C:\Users\Admin\AppData\Local\Temp\81ad0943b90b4dedbb6fd76278055c84.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\net.exenet localgroup3⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup4⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Locky" -ot reg -actn ace -ace "n:VTILVGXH\Admin;p:read;m:deny" -ace "n:VTILVGXH\Admin;p:full;m:deny"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Temp\setacl.exeC:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Locky" -ot reg -actn ace -ace "n:VTILVGXH\Admin;p:read;m:deny" -ace "n:VTILVGXH\Admin;p:full;m:deny"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:restricted;p:read;m:deny" -ace "n:restricted;p:full;m:deny"2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Temp\setacl.exeC:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:restricted;p:read;m:deny" -ace "n:restricted;p:full;m:deny"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:administrateurs;p:read;m:deny" -ace "n:administrateurs;p:full;m:deny"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Temp\setacl.exeC:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:administrateurs;p:read;m:deny" -ace "n:administrateurs;p:full;m:deny"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:système;p:read;m:deny" -ace "n:système;p:full;m:deny"2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Temp\setacl.exeC:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:système;p:read;m:deny" -ace "n:système;p:full;m:deny"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:system;p:read;m:deny" -ace "n:system;p:full;m:deny"2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Temp\setacl.exeC:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:system;p:read;m:deny" -ace "n:system;p:full;m:deny"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Temp\setacl.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6