Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-03-2024 10:07
General
-
Target
230406-bzj2fsaf74.exe
-
Size
639KB
-
MD5
3c0447a8e05bc9ed43128ed22c22e23a
-
SHA1
0bf74262d4f57a3461088e1d96045ebbdeb43c21
-
SHA256
59ec54fb9b1d3415b54558977e3640b81bb3ebebdb61af3fc772e308c6b8eb3a
-
SHA512
f4ec59d7445ceabf7fe8fcd8be7752b5ae6db4a68bcf53d73419d515131f86c7eb8893999c9c60569f2b4f8fb27f5c1457c3177476c4dad6489fb15591c9fa44
-
SSDEEP
12288:2jZfZfZfZfZfZfZOZ2XsHUKwbNWuTncBxPMRS8SUC9H4jlNEz9vBiptAE43/:2jZfZfZfZfZfZfZOZ2XsHUK8ni0U8SU0
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {9CEDB9D4-C1B3-43F6-8BA0-94F8343384B1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD569729016038dcb2851a18aa4387be81a
SHA1014bd4fb7b3b0010e0692f835c786b21c1429c08
SHA2565d150c95a4b7d51b23ccb53ec89335fae52c670de3e4b52b3548f6f2abdf3d73
SHA51284804908e57d2d7af95d728dfebac19185ada321a77b37cfbec60b39dd2a374322d23de7c71636b1ce75ff054f36488a2b6f8f880ff75e024d54967ae46d2ba6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54e4027cd4d02bd610912e4459b6a260d
SHA1a5cdbddf378715c45faa7cd3f7db9490c929326e
SHA256f87104621f047542ff0082dc8a17eb0f0a16f485f336218e4e510b29656b2e5d
SHA512873b402fffd3b24b72cab3e47935a09a63936472b11f54093d0308e1d694018507ba27678a78c46381888ab088a5a42e2508ed3d341321b068360c221219256e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e663f90f31539330177d3754294799cc
SHA1db544f20c607242f91b23302f25cc3eccbed2697
SHA2560f6c786289bff44d382e144f39b5ede351f2a886f0df411270c0f642551b6322
SHA51209a4e47db73a2fffde36324c50ccd95b871476c554dfbfdcf3b1fd7e0c6a024746bdd7f843be36bab5dd30047437fab80aacb4b8ea7e7c050371f22bc4e4561a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a74210004f53e14a2c1322ef723c0978
SHA17d29b0ac86ec5a14d0973fb81ba07d0578c849fa
SHA2563c376bdcaa3e455297da96a8a37e37a2752fe7016ee5088f21b5f22400d429a8
SHA512c6a085a86eacb034afd5ec9be3f484a251333918df992b9457a99af112f87af12aeab1ecf6ea23aec4f6e3ef4243b42e7b4ef425224e79e8bea18023e2207ea0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD595dc6aa7bc39c8add389a6a8d3caf603
SHA15068a2fc2efe37f1ce3448940631106f1080a0c2
SHA256ec9d9f7461d3af9ecbc6fb72264de05343d1b76317515d595201876a5e863ed4
SHA5127c9e89efbc42824ad111b6de9040124f7adc08d7a9a4341c34a9513a04a790daf1f0a58a3df19121f6ac319b6fa875747b32fbe2d4bb6f57545861eb7cf261d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD586fa6750b7b833167da47504bd18abd5
SHA11f53d3466ce08ea9ea5655603bad6e6521021e53
SHA256852703348309f55df586a741f9f08603490bb7cc39c4dcfb0c236d5ec6683c0d
SHA51297011f3bd748fd22e09f9d8a3096cf39062f1728acb43a91c3bc9d1e3876910bd23bc0012c0810d78a07d46254f1c9ecf575c8805f9653a8368434800ff2255b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ebe32af83407c0a5e28b200b4600fd6a
SHA187666877168e2b2d7ea682d65918d0cdfd53ba40
SHA256d308c9bb707f9d7d94c3d9ac1f511633ae718d2ddb382818be97a980192763b7
SHA51262cffaf64c86da7cbe26b69e956567cc6aa6e6ee92dfc1ba62a7567219cade4cae8051474a80656df927bb14b69fe8272b7c0613783f18e859d54f4acaa35bc6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD595bfe8f39e40821ada1b066319a51432
SHA1908c4133de6001c183cc83cec4d894522c518158
SHA2563456aa561cec5bcab988c0cffaf8cc504dd51287f665cd7afd8d653817333d31
SHA51293cdfb43cc5af9cbd9f0f1a4af1d00d9adfc730d9b7ea6d3bd9d733671973775ae795dfa5bf6decb92a4a3bd62d520cd2a798f82c51c8dc737e841a2395df606
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d01e42169dcfa2fc182807983f36fc59
SHA158eab31064436faeae5dfe56733a4e8fd36cc8ae
SHA2560d4c2d58faa91536912082a0220028d9947fc844ece5a68ae48b5ff8213b1bdb
SHA5122d8fe67389455702df36a650f81e0eb086b9b9ecbc82d6ec3a49c23e3542370f9dd08c295a9daaa6a5a00f84bfcce973585063058849c08813c1271c6c8cdf35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD514dbdca38df8a82fdc70a35300abda7f
SHA118de8a577c11e6507cfe25d580ff9700fb32c609
SHA256ac29ef7776d0e8fab2e85c6d643194629c64605f7939b1708b758d8875144822
SHA512f16e0499389864b92959d75508a971fd1332be99273965bce7af0368d8ae13fc2db27d235fd9cf39e43b4d8daeea85e05e633aa2837ad11b81fa9efcf4e72a8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e017c1fb41f2142ab71ff0c4c64b83d2
SHA11b686eafb02ed715424f29663112f8be11be8694
SHA2564a61a49dcb12296eca4ba10f295bd3caf1a3dc4de78fb77423d93bfbd5ef3583
SHA51241103215fc1e26e00f80539f83d5106fa2286c433742e6dc0e04b7be2cbcb84b0a2e8d5e180ee1cc2ee096cf30d5d39e56c31d4b470120b736909a50b1918d40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52629f583accfae953fee5f1b21985cbe
SHA134812bdb21dda45b864c702cf2f9727e237c4ccd
SHA25690ffbf8a14b1fde2fb2bdeb34a943da302dbc933c0a842db1f3df232eb04ac57
SHA512d7b5f0e29206e2feda5ef33b69d6e3200d0433e1df33ea91941dc4e9e31c6915ed71f96bac38a3644a72238754d5f0ed1f9344ec0ee0eae8eb1453ba6df78119
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD524bace7d3d9ce463d5636ccb2759a87a
SHA12a06d5c082def0b135cfe158c860ae2c32d78d59
SHA256b80c6b33ab66814ddb930b7eea5c0bbaa40802a77a7fce1842e489abc2ed9ca7
SHA51230eff096165ada1e0c6e92658e234ded5c1409cbadef8e4b43de3227b4584032d6e9b44360cc289c972604732e249da980358206d874bd885e09bcf30f2e1c21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD512004a83be966bc593a165694ff72117
SHA1503dd676a9fe62b70bafb22e808742dceae6b2fd
SHA2569b66370d444545864340ae7587290d87072dffabb10ae7f792f2970007e9c584
SHA512c5efa27c8fca35eb3aa96455c11a94e81579caf4ea3727fcbfc1eba73e82a83bef1179152f58ec882ef7440c36203318f7c25e5d20c85939c7c8230c8ec68f23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5729ef4cc915a55c389df57d673a6beca
SHA17f72d09edb0dcbcdad0411194309dc8f3f56dc68
SHA256b653a14d0f059abd1e7b8fbd152701ec780e9fce57c93f0237f7e4c797f74420
SHA512431cf1361915a32fd13397a47bc50840241626ebdd3c42a082ae050012116ac80287be1505c33ad373873d1cbd72446fbce75d588beeac741229bd9e7215ad83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54d4d643f17aed933f9b037941c41d0fc
SHA1dc8580201fbc471870b3da109978e2130424757a
SHA256bcdd711241cd571d51a403c4e38bce4ceb19b3ab280c1c3b02d02b92c442d6ca
SHA512f51b4c35fbfe7c804f586eea7204992af15047ae623c17ce5946202ab593ce9a7d98b81b6bbe168d8bd6b2b43715b7a4af0f3c6bd0838210e61bf59d37572c6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fd61f24b6d012df155547dc3e5ccf8fd
SHA10bfa30455b53e98ec6d69cc1b7bffee3c7545195
SHA256eb27fa6bce16fb993e3a364f53df012ed477b0314273978aba30a2a04521e939
SHA512d2e22222cb08d029228497e518af4609e4ff6e99a08e59a02fe3f1923f671ad78b0ac5e9fbd8b149947facb03c49830017526f9dc654eeeb5d27c1af9f46b1fc
-
C:\Users\Admin\AppData\Local\Temp\Tar9DDD.tmpFilesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\Desktop\ykcol.bmpFilesize
3.5MB
MD523e8bef5ee5a0638077bcdd17bea9e02
SHA10b85d30583de6a4edf287b7c84819f2a645f9fd0
SHA256688719b19858ac624515188ebe7ece34b4f186a218805eb5aa195fd50b95d86f
SHA512da4ec0c2aba8a503b3fc2ffa45320c30dd633c758ceb0a4dfd6d36e71432eb2e99a559150235a1cfaa157a42c3842913e09bc8c6efa7cdf1bfe9bbe69b9be895
-
C:\ykcol-7b95.htmFilesize
8KB
MD5bf0d6435b0d46e7c64f0372a1f6e4eb7
SHA1c8630622d27feb953c6c6922e4fd98bcd14a2e90
SHA25681f2be9be2862d1f7a327bb3c84e7ae95a3aaeb428cbbd89766f2aee84a7f555
SHA512faabe77d8f9e761e1480039b9848f125bf6097e5763d2ed0f6ba5f6b13bd411e02a85c1a0606ad49fdbf32cf9421da3a351ed3906717a000b3fd9c71abb6c5ce
-
memory/1692-37-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/1692-277-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/1692-259-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/1692-280-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/1692-0-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1692-5-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1692-4-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/1692-2-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1692-3-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/1692-1-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/2360-279-0x0000000001B60000-0x0000000001B61000-memory.dmpFilesize
4KB
-
memory/2360-760-0x0000000001B60000-0x0000000001B61000-memory.dmpFilesize
4KB
-
memory/2360-278-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
