Overview

overview

10

Static

static

3

216c144dc5...db.dll

windows7-x64

10

216c144dc5...db.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    216c144dc51c315c220864dbba672932664eb031b63bc779bf5b35fb9fa239db.dll

  • Size

    127KB

  • MD5

    be1377d90fdeeb0bff1da2a19c3c6d07

  • SHA1

    e3bb515c055fecee1fd2c7a6c444a8e5a0465044

  • SHA256

    216c144dc51c315c220864dbba672932664eb031b63bc779bf5b35fb9fa239db

  • SHA512

    79495f17bb10e7c4da026edcbc065cb6e681736ddff2cacbe61956f4e86c286dba22044284365985b43e079292b06edf296dc1ade608d2d2631d94d9b65c4d7e

  • SSDEEP

    3072:imFa0hGJ5yhppWMy7qWrH4CJWA+26begdDywQp3LnnBphg:wMUARQnr6X26fDvMbnB0

Score
10/10
lockyransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\216c144dc51c315c220864dbba672932664eb031b63bc779bf5b35fb9fa239db.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\216c144dc51c315c220864dbba672932664eb031b63bc779bf5b35fb9fa239db.dll,#1
      2⤵
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_WHAT_is.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2280
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BEF946C0-6DED-41EA-AAF2-164F6DF99FBA} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:2676
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\_4_WHAT_is.html
    Filesize

    9KB

    MD5

    59383891b9b5f4d92f58abf26a35d648

    SHA1

    ad6aac754502451e4a9c3491020f4c4dffce9722

    SHA256

    1a234e6ff3da77de8e9d22103c931266a5a329d624e5e67f9c357dde1a7f2cf9

    SHA512

    1e86fcb86493971280ab3b75d53a9c4dfb4647afbcff40fae822c745aab96414a40ba471a6cd6486f7de861aac42bb51f3922022679baffc98b72e2cfbb51e83

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5c4ea3bdf9d94356f0da74af0d4b1914

    SHA1

    4fdbbb38992b97a5e23926669bc2a20023a75640

    SHA256

    409da6a6a8d5bff4b0da3b553dc0bfce591ee6de1757aac73a048dc35403c026

    SHA512

    49233d4c10f72ed7d9f1b0da466a5c2f02052e0e6417bc912ac0e1f2ca0a44877f18c253edc576714af0a1b656a057a0af9d5779770baaaae4811066e918bc47

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0a636a26f313dc9ef96dea677bb7dd4d

    SHA1

    24b94fcf4ecce551ddafd080b267459fd4d4184e

    SHA256

    de55348f362ed8942857c56277e873272e9a4397eadee42b302ed8a8e6a5a60b

    SHA512

    cf3a24e78ddb7379f559ba19d27a420727f566fff7f4af1444e3196f6e921baf0566ac8fd359d4790948f419861715eacd5402f9a9b73ada3c95f28fe8dbd234

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8b5f40ae7b3ce1c6bc149cc24e66b8a6

    SHA1

    f27eb35efb7bd7fb77dc0032560ea17b341ac7c7

    SHA256

    c62c4e67a8efcb6f8c850f905b7769bf17f9b34f5e89c0a7ea41a00d9b5b711a

    SHA512

    b61e1ae9ad85e4f3be5fdebc579b5dc0da6740f1264c57e87f557fc1440ff326f237327ba42e65aebd8bca4513e4da91ac516511d4b1d55464e53b52849f5893

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    304c6f3b56d40ddb4e1bbd77aa4ceb5c

    SHA1

    6cb0a8a90110a57e564e36cda15b507d78895e39

    SHA256

    b14c8667a0173dfb1766904e518968c9b5f7ba0be6d96ed595abf21f632ee802

    SHA512

    02ff65476a1c958f7d50a6e4fbb4f5bc1e6cc1462058ae001b686d40cd7212302faab5b41076f9834bc900b2157a3a61ae5d6659cc94701f255926f54d8c4eb3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d08591dddbaf43b2de780891f9f595b9

    SHA1

    1a5824e5e3ecabca21b8957b433f401074a3ab2e

    SHA256

    01a4343c21e46be309c48d3aacc9c83fa0152452ca79ad3a6dc17b16d3b46f58

    SHA512

    321ffecbda945e2df30b30d79e7b4935734f1fe714224d0041396852fcab0b227513047215d8d9530990a451bc25886457becef03da59a99a160a8dca5626256

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    25341446c1708b26be3d5881c0d7d954

    SHA1

    0c9c2a17f08f1fde8c8fa9cc94a92301167ae2bf

    SHA256

    cddade1ef2acb0f14da944d1d1b5272e1691dc6bbcbdbeb46dc3bce612eca8f6

    SHA512

    90e2d96ac7ccf51685a2e09e51207f81e11c2baa50fb3df2b7998ac65ce63e86145651e5a4c780f4410b961e1bb42f13b4d6277dc6f3542ba640e41eb84f1f53

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    962fe8914225aabd098ef7da08cecd44

    SHA1

    464e63bb60b9dc5576688ed158dbe6388f6d3a2f

    SHA256

    3910efae99424bd0245ded2c54d7ac975723be2ca509d6492c2b499794f4fdfd

    SHA512

    5faccf2eeb307af4d3de7d373dd459fe2b428e8f181b7bb1905ca0b18d371ee6f9f3daa34c88206ac870d71a7e520a624d4472bd1f88a238e760a86752fd469e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5519505801267fae1b52bfd9cb855a02

    SHA1

    0fb30b289bdc40b2976abd961332efea8b38d997

    SHA256

    bdc854e5e2fea13f496466477328f68a9286d0700769ed8229485e820ef6db0e

    SHA512

    4af373a4371ddd705f112d5a843db5589f8d5152cf6781037d290ddbf2961ea27a3920c84acc983674923d7386ee5d07d54378705df642eb4d44cbc1245b2eb6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ed804587383217919dcf2bc996bbfa15

    SHA1

    7f419e7764b161ed79101a6a89780d5241015448

    SHA256

    2c2bc8641263448ce0e0062884f052ec45d205e48ffcde6d0fc4b37a5fa03e44

    SHA512

    9f986b346c6192f2e6f70ce41b2456d334879306ffb368b2e6c4731ddf45ac88f0f8ea73377d05775c2468d4234b134dadd611ce7824fc68b077aa96655c9f15

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d5f6ca5c30925497ef86545f1fb86f18

    SHA1

    8474e027e2d90aaa95f57e8c642d72f6191806d7

    SHA256

    abb333de34289c16104aee167d4afa69b7678d3405cdbd975778faf930d00eb3

    SHA512

    de3a2b81acfec596d3e9f60b31afa3b836175c0e2e1c98f529a0f241d34646c6475dc3616ee2f8a88df24ba7c10bafa28d0ab31eb8985558140f61d795f46f05

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    53dc78dd0744aa6f0c5629c7c751652b

    SHA1

    72f9e04d03c31eb51d3a73904b10efcc6b9ab326

    SHA256

    625f58a239059e696d0db24388339bd2227e85a5e6939102e4ad1b3f61f4c9c4

    SHA512

    00d09010bfb96780312d01633654b82bb4b1c89fead387f8ad276ac27515b49a174ed5c79829b7ae3b747ceecf005d09d148bf62eb32f025f6b81a1098cbdaab

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    85c831f2cff71e529ca7e3c53e93eb4c

    SHA1

    09358fd22f88f9398534a6e5a34d71b3372d235c

    SHA256

    457392f171c894ac823c8117ea842011c04cc2ee528ae9eceb76f8e58a6885f9

    SHA512

    6fd0561fa4dcc6544941097db44d9f16808fa64ab49188b44604ebcb25c07265e4ea7b4be0cbe3b33b3a0bc95cc56adb683e7edee3d77c21020bdf1a05f06d1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CabB944.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarBA73.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit
  • C:\Users\Admin\Desktop\_WHAT_is.bmp
    Filesize

    3.4MB

    MD5

    4aae2d16fbdc92f4c9d7a501d226c1ee

    SHA1

    0975e9690d318821b00b8629def0a48d78f8525b

    SHA256

    3dd00c06268e47425f460c1b895ac6ccae407765620f2a75085c799bce0ca206

    SHA512

    b9a0ea1eff62ca3226659d6d10cf43b9c1cbc1480c8c720f37fc0a69bf81716e70390c5c62d853dec0662ba7201daf9c76bf36b710599f99a90a460f840d831e

    Download Submit
  • memory/2184-5-0x0000000074860000-0x0000000074889000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2184-7-0x0000000074860000-0x0000000074889000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2184-319-0x0000000074890000-0x000000007489F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2184-1-0x0000000074890000-0x00000000748B9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2184-3-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2184-316-0x00000000008D0000-0x00000000008D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2184-320-0x00000000748A0000-0x00000000748A9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2184-9-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2184-4-0x0000000074850000-0x0000000074879000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2184-0-0x00000000748A0000-0x00000000748C9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2184-2-0x0000000074860000-0x0000000074889000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2732-797-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2732-317-0x0000000000120000-0x0000000000122000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2732-318-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download