infinitylock | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

Resubmissions

25-03-2024 14:17

240325-rlxy6aae28 10

Analysis

max time kernel
121s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.DPV.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBCONV.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105286.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.InfoPath.FormControl.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONPPTAddin.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105502.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00014_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolap100.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150150.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79	[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
352B

MD5
fd8e114c5e3d08a6079a410f9fb6478d

SHA1
f128019177a30b7560567e548e1bdc70cd3a1281

SHA256
a754d77f7af73235a6151eaee9c40af77ec37c9c40bf81c89eb959d13d36c321

SHA512
b197dbc980f557cc3338a5a1dfdf5de44084e2cb3ecc6e8384022ccd92dde69bf256f0da37dcd5f369a3b09b91be9aa3fb03a0d793f79b7b8d4b67fde0508d2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
224B

MD5
c0a962548488cc8fe95dd41ea309be6b

SHA1
cac942acdafb27d0c575fd1b79334b0bcee1a201

SHA256
bec53b3fd258dad31e1665d0efe71a483576ec2b4317278c5c5a6da331e9e4db

SHA512
c19addcef09a3934a6eef020d9ebf0053553635ce7623269e992237e28c03bc898be1251e6c8bdfd3f8ace4a0019a0fe1d37ed44286baf33a31072577b2c2036

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
128B

MD5
bc0c7a5caabd9b4d76d27e5bd1c78cbf

SHA1
4f3ae67588ea65dbf51140bee69cee76453babcf

SHA256
d7527e55293c56e642b789c757e3c0020536cab7b386b7eaef5172a6b5f4d927

SHA512
a790b87a1ea452fe8b5ac66b18421e358681b93def85af5de924b7b4393a2471cd320c83ef5fe4ae1535fc8ce106d4aeb53133dcbcdfa6ca8027f35a37b32ef4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
128B

MD5
ea6a04e6c3dc4f61d7b67789a050921e

SHA1
2979a19d329919924cd3598357186ad8e96635c0

SHA256
947e8f55a8745a42a578717a6c80edb3c59737826c5ffc8c7eba822aa291f5e8

SHA512
350ec68d4fc2842761e292cbd87dcb45e6d32368f5f7daabfc3bf4247498e12f331a0a5175086d4cb8c9301387d15cc781b1c1962d2e4047f5646bed02bc28d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
192B

MD5
9cf174a647b1d441696f82b1cc7c419a

SHA1
cca7eb908119e45dffec5f2942dc0649d510fd96

SHA256
09bea141fa3383edc45259e11b32402f4fac22123c65d52335819cbda405b230

SHA512
0aaced0b268400bd98df18af1341eb7b814c4caf93bfc685b9295849c1a7b72e41b7469f776eb8ca3fe31b5cf80152513ac6e4f9b0f1283c5373f7b8bc89eeb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
512B

MD5
da8aa92664a81993f88bdc05fa19df46

SHA1
6050d0afd7b428f30abfec17c06fd3586b6da495

SHA256
4f9ab82c0c7e59b6b7cca9bc2903f523d0202c27944312ff30d8d0b367cfdee9

SHA512
01a0f5e59793b4c57a7758bc5069a56bd0556f8b5bb9f595f39ec5a29f481329de7154b3fd28af2dbc109e4a6729179f8a0d219046fd92bd30e2da7b0c7573a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
1KB

MD5
9f3c5eab82179dc7d7fcc7cc4dd39533

SHA1
aa947d6a4693f50bb81f02ba461824e6185349ca

SHA256
b00089a382bd570f602fb02430b3542dd7fabc172cbe6a540278a8cab7c35904

SHA512
98affd7ee4ea93e3fea870aa4d6a3266185d99fe4fb5634f45a6955088d48423e2dd7326a223134f878e953799fe5c2f7eb3aa802509322dc7a3b9f478f5b154

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.F3058DA1219E82B6FCD803C4549092876CDADCD04F59A1820341737E03C95E79

Filesize
816B

MD5
d3b8ad4c3dd222fb9c081d68a4e4ebb1

SHA1
d9374577178b5da8aaf7c3834c68a6d7d17d059f

SHA256
54c75362c8478994cd51fa8b91059b8fba5e4a70568a7d691c4bbce6c32f67b2

SHA512
59ea59bcbcfc60e99195a0533e2eac539c10c00eb594ff2902d355bd69dd36b576384da065e815dcd5d3754fda0c56b3606223d72be46eebc3af4c638c39d33b

Download Submit
memory/2188-3075-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-3228-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2188-0-0x0000000000E10000-0x0000000000E4C000-memory.dmp

Filesize
240KB

Download
memory/2188-2-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2188-1-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5340-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download