Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
230406-bzj2fsaf74.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
230406-bzj2fsaf74.exe
Resource
win10v2004-20240226-en
General
-
Target
230406-bzj2fsaf74.exe
-
Size
639KB
-
MD5
3c0447a8e05bc9ed43128ed22c22e23a
-
SHA1
0bf74262d4f57a3461088e1d96045ebbdeb43c21
-
SHA256
59ec54fb9b1d3415b54558977e3640b81bb3ebebdb61af3fc772e308c6b8eb3a
-
SHA512
f4ec59d7445ceabf7fe8fcd8be7752b5ae6db4a68bcf53d73419d515131f86c7eb8893999c9c60569f2b4f8fb27f5c1457c3177476c4dad6489fb15591c9fa44
-
SSDEEP
12288:2jZfZfZfZfZfZfZOZ2XsHUKwbNWuTncBxPMRS8SUC9H4jlNEz9vBiptAE43/:2jZfZfZfZfZfZfZOZ2XsHUK8ni0U8SU0
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
230406-bzj2fsaf74.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\ykcol.bmp" 230406-bzj2fsaf74.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1940 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
230406-bzj2fsaf74.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "0" 230406-bzj2fsaf74.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\TileWallpaper = "0" 230406-bzj2fsaf74.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
230406-bzj2fsaf74.exedescription pid process target process PID 4476 wrote to memory of 4528 4476 230406-bzj2fsaf74.exe msedge.exe PID 4476 wrote to memory of 4528 4476 230406-bzj2fsaf74.exe msedge.exe PID 4476 wrote to memory of 1328 4476 230406-bzj2fsaf74.exe cmd.exe PID 4476 wrote to memory of 1328 4476 230406-bzj2fsaf74.exe cmd.exe PID 4476 wrote to memory of 1328 4476 230406-bzj2fsaf74.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ykcol.htm2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All1⤵
- Interacts with shadow copies
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3964 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=748 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5420 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5892 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Default\ykcol-f9bf.htmFilesize
8KB
MD55cf3c7ca15c3731e2df274cef0519212
SHA1f0a19ea0864a94e6011a0e5b9934b3a7fee5f03f
SHA256e5d33aaa43220f6f09c4330b69d7267b7bad0de43a582cfee770ecef95b3d53c
SHA512db9f184c3f4099324152bcdeb7fa7b1915f256707c1df40870b7c8529a175914793a8891beb2c182d758d498e09d0cc1c5e031dbf810a29d23cf2092d0da6eca
-
memory/4476-1-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4476-3-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4476-0-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/4476-2-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/4476-4-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4476-6-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4476-203-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4476-312-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB