Analysis

  • max time kernel
    157s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 10:07

General

  • Target

    230406-bzj2fsaf74.exe

  • Size

    639KB

  • MD5

    3c0447a8e05bc9ed43128ed22c22e23a

  • SHA1

    0bf74262d4f57a3461088e1d96045ebbdeb43c21

  • SHA256

    59ec54fb9b1d3415b54558977e3640b81bb3ebebdb61af3fc772e308c6b8eb3a

  • SHA512

    f4ec59d7445ceabf7fe8fcd8be7752b5ae6db4a68bcf53d73419d515131f86c7eb8893999c9c60569f2b4f8fb27f5c1457c3177476c4dad6489fb15591c9fa44

  • SSDEEP

    12288:2jZfZfZfZfZfZfZOZ2XsHUKwbNWuTncBxPMRS8SUC9H4jlNEz9vBiptAE43/:2jZfZfZfZfZfZfZOZ2XsHUK8ni0U8SU0

Score
10/10

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe
    "C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ykcol.htm
      2⤵
        PID:4528
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\230406-bzj2fsaf74.exe"
        2⤵
          PID:1328
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3724
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:940
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
          1⤵
          • Interacts with shadow copies
          PID:1940
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3964 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
          1⤵
            PID:1148
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=748 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:1900
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:4612
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5420 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                1⤵
                  PID:3792
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5892 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:2004

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Defense Evasion

                  Indicator Removal

                  2
                  T1070

                  File Deletion

                  2
                  T1070.004

                  Modify Registry

                  1
                  T1112

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Impact

                  Inhibit System Recovery

                  2
                  T1490

                  Defacement

                  1
                  T1491

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Default\ykcol-f9bf.htm
                    Filesize

                    8KB

                    MD5

                    5cf3c7ca15c3731e2df274cef0519212

                    SHA1

                    f0a19ea0864a94e6011a0e5b9934b3a7fee5f03f

                    SHA256

                    e5d33aaa43220f6f09c4330b69d7267b7bad0de43a582cfee770ecef95b3d53c

                    SHA512

                    db9f184c3f4099324152bcdeb7fa7b1915f256707c1df40870b7c8529a175914793a8891beb2c182d758d498e09d0cc1c5e031dbf810a29d23cf2092d0da6eca

                  • memory/4476-1-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB

                  • memory/4476-3-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB

                  • memory/4476-0-0x0000000000530000-0x0000000000531000-memory.dmp
                    Filesize

                    4KB

                  • memory/4476-2-0x0000000000540000-0x0000000000541000-memory.dmp
                    Filesize

                    4KB

                  • memory/4476-4-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB

                  • memory/4476-6-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB

                  • memory/4476-203-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB

                  • memory/4476-312-0x0000000000400000-0x00000000004A3000-memory.dmp
                    Filesize

                    652KB