Overview

overview

10

Static

static

3

5a563e7b45...dd.exe

windows7-x64

10

5a563e7b45...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe

  • Size

    576KB

  • MD5

    79d57f8f54bade79046ec3848bf14642

  • SHA1

    7f90f82dd95f688b7479501e72f06e462876f29e

  • SHA256

    5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add

  • SHA512

    a479858fd4a839eee155987e01f674c4e99ca0f64597a919eacfb156c24c5b4227f92d3fe13dc08e0c99cb385213bb2e6ec2c889948a14c6083f024449acdc70

  • SSDEEP

    12288:q6GYxM5/3Wi748sx3JpXCcb6w8m8OfFSUzEC86FR/jiQSKXc:OYq5uigx7ycGpj8H8MJigc

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe
    "C:\Users\Admin\AppData\Local\Temp\5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\5a563e7b4523310c4cacd24956ef84f0af27a3cb6457d662da1db29d48918add.exe"
      2⤵
      • Deletes itself
      PID:1824
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2412
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8F3EA38A-94B9-4F51-9AC0-5D16CD405FC2} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:2724
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f8f162f9019b31b5433223579d4da175

    SHA1

    1fddfd985578fa696a45446c1d451bebe9a6202f

    SHA256

    aa5750190b09f6cad57f344d0e35912ddbc23150f03020cbdb532a23c287e7c9

    SHA512

    c0dcb55864c3bd3862e9f351e85127c8ba1ed324f1d1a96b57824023d2cbf436fe228766bf8ef08210b160edc9f2850001e1d4ae46af734480d02d85f9f4cc15

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8d7c92df5b0c4cea90b92f0d5d15c51c

    SHA1

    0332ae66426789c1ee950d67867d5d1acf03126a

    SHA256

    5ed154e8dcc6a643eec1b8fef6532a43fa0bacab6a8bdf23cf23e7395cdfb03c

    SHA512

    7c70d9c0e7823802211b498f831b2d7175b58a7b7550d38f1f03deb4e2cade536c41930523b4848ddded7b35de19b75d60807e2e8b6cba54d3d286ca6ef764f0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8d9f28c4c11055a84b155d16b6b63fee

    SHA1

    e76d7af1921fe5068fef414d5c802b11ab8a8cf2

    SHA256

    531e36ca4b977f629abb1a7b3b68e6eaeb269c9d85315e3a3f66f3c08589a283

    SHA512

    41c83509a524dd3af8bebec54187ddeece4c82bd27fb27be7c940cd1fb3036196e991f9343859e5f979e23594d9ab2b226179350f6fda7e4b2e13f2a10766d6f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    86f3f62d1cc0cea2ff53f73476aa438d

    SHA1

    1674948992e6108f24eb1e004180433ddaad15b1

    SHA256

    99cff5e521c0f633eedd0e60e529571b50da9a831455ca5d2f558101c8b799f4

    SHA512

    c79da367b74e7846104d62563aac9533714291a29fa7edc7b330c241dbf114b13ba9118c5e6f3d5b4232883efab966b02d1b7191148317fea61edada2ac81149

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d1122f93ea6551155d4a078f7b70c368

    SHA1

    5072a19cc29e6bb9f6b199f9de2ae6eb16496a49

    SHA256

    32c2c66d41412a0d6dae29f67b7c778c353a3149eb9e8fa030d0de07ac25b8dc

    SHA512

    3712ff5ba5b3e81f2d5213df82b8fee33d6849dd18ec4c499460560615811b042f099e5c4bfc4cb52255b624b4d9393b247f406d5b924bccd6f9aad279bba92a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bf681ef4868194894b281906cb46a9cf

    SHA1

    d33ab805166f066af97ffccf91cf7e8c255710e7

    SHA256

    df682727cc673490d370d605c8e7b4eedfb8fb7d54bba81d4d9324af1f3c4b27

    SHA512

    d52cd05d597d18118824e7e0f115362390c902712b5eaf688a93d97fcac123b2c89ef909524325b8c1c595c9c0d18a5a702d59501d7d817f6088d72f8031ee7c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    83dec48fdfc4a7eaabe5bd0f74fa0d29

    SHA1

    0455646bff30f094f200dfdf595177272d8d4fa4

    SHA256

    1d5586c76f5db360654e2cb22a077c0208877d891740bed911d4539ab5bdc445

    SHA512

    cea98b99458ae68f5df5ea824df102f90be24c23b581ab90fcbb1d36b172d1cbbfd65734031efa66614ee2fec6486be88e7118c3690ec98be2aadabcce27b24a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4fabdffbee885e121b7508cc599a9010

    SHA1

    c5b22b126a14d44335a612cd453311eb513b8e70

    SHA256

    8ca43ab0cf917406b1149ceeb5843868bc26c5e8754fc900abfae5da0e54314e

    SHA512

    406da3f51862a08a31c4bafffd27239b0fdc023cc39e244b24f98162964fa22d8b82e834e44c6f578f01d4ed3d0b8d9bdce1c8cf83430fbcb1d56c5e9821961b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e8eb0e23a2ee877ab3597352091a3132

    SHA1

    0989977288475e45c5230d22c5a371910b707c2f

    SHA256

    21719239c6255ddbaf31a5e66741f49e53a5c54774e88143622e6838fbb3bee2

    SHA512

    c77c9af08713566f05c731e6b71c4cfa33d442ffb0992b08c6574c9e768639288fbacf10a7ec69cd068f5a05293edf5f4288fdb80c33b5c616a81be40ec3369f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    86c8c078b5ded126fc0ab009d083340f

    SHA1

    2a3c6a57bab2c3fdf3f3a381c0f5c4acd643fe94

    SHA256

    2c97f2d2a13f7e63b1a09886ca84c52158df13039822f4dc8166698b0bf3eaf0

    SHA512

    01bdff2f6c993d7201b530bfafde22cb8845c67c1382abcd3fe7fee6001d3c25d82a6ca3887fa42d0ede5b54c4163fe773751434e086e36137a47d352f37053a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a41dd031840d9bf8e123fe2f822b6af3

    SHA1

    3476f0cab1aa453c444981b3cd74620f735e4bf8

    SHA256

    e0c3f25d7c403efadeb9f845551e734fd889673775e38c51f9ec2b65dce18cbf

    SHA512

    8ed41d35ada1575ecee17f19b4e8160f915bebcc222e81cfa78f8285fa84fcb63059bcfa2e14f011c6523802592c46a821add631f3becb8208faca14ee673853

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8575e227e62d7996ee25506f8f3b5f7d

    SHA1

    477383280cb438743cbcb8aafc2e7bd87bb0b6c3

    SHA256

    e9b0ab62731783a637e3fb2a9fbe1bde711ef2e5ca62d039a47f0ea0ba898532

    SHA512

    fbb6977c70ddbfc75d999b6c7b6d8e47980ec9028b6320047446e6cb3815e0c511f1257a3150bce3e392c7b3e01405a6119d62f506cf5f0cbfaa62535b30d238

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0b37be202db0a7095ea67ca844dced3a

    SHA1

    ef295cdca71b1cc16918e1497fd3a8d65727035a

    SHA256

    f2e1d47f7a0121caf6a07fe2002989043b04dd108e17c9d47583d048070e0ae0

    SHA512

    e653b15388409b2d05eefac1e4d79a4dc36552dc7e65bb2d7196243f1c66e5e5b5101e52338d2c22be727f2f57ef29750f0d24cf6d4e966b293169332475ffe0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9347a52a43ad0426a14782c326f7dea8

    SHA1

    157ab4248f3b0f40495845e4a2b8e6af78f682ec

    SHA256

    e0005a0c389b864c7410b28a0069c4ec69935d1c349474c833b1ec4a036d2fab

    SHA512

    f3b0f7ee3bb9ed751dad93d51593422ec2e80a8063a7778dab3794ab30ea1993d2c7d06331bead4a1fe7033dd558e501fc851ec0cb9e22f039946a4e6c83cebd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    48750a6a7ee04e9d6c114e9b43be2dad

    SHA1

    1b6473585090270b4c9105fac9513c03dc95138b

    SHA256

    b451b511d828318973c7d3d8c92995bc4033c147db3eb0d557e31e3a8c6b9468

    SHA512

    4a8904009f9b01fca387162c710c9ae4a8881f4adbc42160c50c54ec97992819c6961cfac6e1e367f593c161857aec7520e874977a734a3cff3109cfa2fb4d54

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    de12513fc94308e2d1faf4f36c673ed0

    SHA1

    a2c925dfdc6c47ed3f8a144d1ac6b5a5f47f578c

    SHA256

    38af1eac480256552780d8fa9900f339e46a0e7e8eba91244f6728b8152a48b8

    SHA512

    19dea4a01082923d478de038ea21dec22e0da0161d6e0017bd9b4f1f82711c220d983b3306992204e4d124cc9c2170fb99d2c684251bf54a7ea2e4c30a04aa7e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5188b65214753c4159bd49b756a54043

    SHA1

    75bc66d90ce4e9f352b60ebf636d78e41d18a1d1

    SHA256

    ea6885f8d7f44368780076714156282e11de2ad5150c038c7a0cb3c1d4ff79d3

    SHA512

    6eba9aa9cc1d6bf3485129695887fbc36a8ce99bc4cacd9566f212f3600b42e8bc60dfdfcf7f1f054dd7cab06436cc84b59a615e65113c8da2cd180c2107ca4a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4ea70bb7868ecef3580789c004914a53

    SHA1

    4e669219009d03acde1fb61c8176f187445bffdc

    SHA256

    6cb3381275c8e9d1f153e1fb1e15e865394592fab729fc8bbc86c907d42b7199

    SHA512

    092b7062e8117d7d2174e08dd00151f2c8b34873fee4e52e66b137d43dfc2766c1a0bfeace024cb04a7b3c6c3de84f8981d3a554b3862136db9ffe7eee740c00

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b80464427ca20c6dab685eaa875a9306

    SHA1

    5ad608aa7fac2abcb4f36f76cc459aa8578372a5

    SHA256

    15590dd45a644c89dd24a1fbb9b54d4ddd82ce548d9b88ed988e37b44b38cbd7

    SHA512

    c1707ae55aa9f2f8ac5b2401dcb3086d9ef493151224b33a8f3623cf0febaab04806d9d1447aba347c42c692244068e3cc99d62f0716d96ec1cea2ee51b618bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab65E7.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar66B9.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Users\Admin\Desktop\ykcol.bmp
    Filesize

    3.3MB

    MD5

    0c9ef2ce80a126e1b04ee23cf8fd9cbf

    SHA1

    b64c0686a39b3fa336074cdc728199e3a9efc295

    SHA256

    3f16be14255e9fcfa0fdfac7238a2bb6da7642ff8dcb90cd751aa6f035ac26fe

    SHA512

    f70c01d590fd2ce505f3456f99ef1d243cfb4cf322adbc9bbc604aa78ea65d92c2e77fbcd423ec6acf72616aa279f4ee67b3bb5735a3b5a5de8b17183799569d

    Download Submit

  • C:\Users\Default\ykcol-e644.htm
    Filesize

    8KB

    MD5

    74b53f8eb57fdecfe7a5f58521276745

    SHA1

    f46ee2b0e0528f3c0f9117bc6ac722dfae8c1ae5

    SHA256

    4f4abb38b49c2f8bd1ee5a4f7b154fdd703bb48f1fb601eafde4725e61076a97

    SHA512

    8e86f61eedbde50cb5554747547dfd5112bcda2494b04d012f95fabedada03488660a2c73485a99bf67df27c047eb62d3dff11f755e5b170fdd2ea0436536b1d

    Download Submit

  • memory/2472-768-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-290-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-289-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2480-292-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-2-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-288-0x00000000026A0000-0x00000000026A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2480-270-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-98-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-22-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-5-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-4-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/2480-3-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-1-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download