4526ae4561821d6b114ad8e12c0ed0bd416fe890ede8b75c875026640a8b866e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
Size

436KB
MD5

a44ee9c467d45ed3d8e86ec165017539
SHA1

efbbf15fb3466d78e8a57d24da3a05b9a4a33453
SHA256

4526ae4561821d6b114ad8e12c0ed0bd416fe890ede8b75c875026640a8b866e
SHA512

9d56372cd224ef3eb70678ed1be0578326de0307a7cc7e1b06a7ad3987640a97a6df39e13c310eaa725893f7fd622522838c81e16c88a02ac1094cb3bb36c0bd
SSDEEP

12288:7MSU4joci8M6PW1GVFeFd60DFUyhezYM:ASUCpM2W1Gvgmyezv

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe"	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe"	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
2240	2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_a44ee9c467d45ed3d8e86ec165017539_ransomlock.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2240-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download