Overview

overview

10

Static

static

1

EML744615923893.vbs

windows7-x64

10

EML744615923893.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EML744615923893.vbs

  • Size

    10KB

  • MD5

    58d6ae6949d1a8b7659bf5f3f86e40ae

  • SHA1

    41215d31bce54d4815b0bbaa0abdfec438f18cbf

  • SHA256

    46a3a49f55ad20fcb3047ac7aa8f18c5db46af543a4d7f46c3138556f2a57b9c

  • SHA512

    16abda33c33d9171aa78e50cad7b028ba01ba47306511bd9b2340f10daccecab92127c4710e435eaded435aa73d82c9af07aff755a3897c8c1f44f01b0c1a4b2

  • SSDEEP

    192:yMHGK+P1oQQ+E4pG6/IGx/GGPGQGqGuG93ZP3VIBdbtLMddj6p4Ocg4h:y115QppPFIBdbtLMd17h

Score
10/10
lockydefense_evasionexecutionimpactransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EML744615923893.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\YaNJiK.exe
      "C:\Users\Admin\AppData\Local\Temp\YaNJiK.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\YaNJiK.exe"
        3⤵
          PID:1912
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B95A96CB-42E4-442C-84F5-F9FA51B81B90} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
        2⤵
        • Interacts with shadow copies
        PID:876
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2420

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Privilege Escalation

    Defense Evasion

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fd2fcac1d7248b1acb972026bf9c1518

      SHA1

      e38585078feb60d20bb93ee3b6bc64f427590d4e

      SHA256

      fce5c4f603e7ad8f9556c239200567d99176865ad8ea59cd10d3dd2d6193a6aa

      SHA512

      7bb223041cb65419377079d945775d8742cad51775a31ad04b9bcf98a98d68c0328b537ecd83bb16696713841091c98f09499a199f971b61c9fc9578e1e21a00

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      121a01da81b718725578683d98527a1c

      SHA1

      d18b28181f013cbd881dda3177a8e03446a44afd

      SHA256

      1d930304cf0452458a0f0997a706dfa6be3ebe4438d4159ebe4669436e7fd844

      SHA512

      4199f250c26f0b7cf3de3845fa457c40b21fb536496835c92879854e95c580c3ba5a7277f27e940c932db4e8d88cd27e31bc96d91081a950e099b0694da947b0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      43824515dbfec9fb2b521fd821430e4a

      SHA1

      5e75ba9ce7d86207af1f8c8f7a45ef38357b4f90

      SHA256

      5deb3887c498b88a70d6b889a7c8bd2626dacc795e6adf69b2995cc01778a4ce

      SHA512

      57e356f8296ad9946259812d55a3c47472c313a97c4d65346e5d1eb759484da98917de678d28489bb358f1cb6ffd4aaf299665b4fc92716557a8f3567d9df80b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9fecb8939dc14ec40229b1125c81a48e

      SHA1

      dbaf9ff08ced6675dc1a1853a4cb83ac7c4284ee

      SHA256

      73fe234a2edf0528b8768e5787feef268fd5392e1a331b4cb11e280f6a801320

      SHA512

      13a8e59adf8d115cfec5f2e4ee534df012bc0daebdb7c38b353d1df2a5219ea42788732cced7cb9c50f60eef64f9f5e3c83374a27e67f9ae251af6c7b6bc8a78

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      07a700cc2e2c64849c88ae8f25ad2ba1

      SHA1

      90ab60e036ca8b204e6e06c9375bcebbe9749ad4

      SHA256

      cef73127a50b37e5dc2b7053ec4c97d30eab0de668e6ed5621db7cb7b939282d

      SHA512

      bb5332c037a65721eced918d7aa647e0af26dc19e7aadb0a074f8aafa56298a3b8e6ec5866628115e0eb64d5c2c90c52bdb2c108663b460303c6b248c546339c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      20cfd2d145da30b7f3d497a3f15a25c5

      SHA1

      f6f138a9e47e2a8fbe428d68cb3097df9201513e

      SHA256

      1ae608f92e348cb9d0c96cdb7272a8e5a81d25e9519980d69aded28acd2e2c87

      SHA512

      a492144f852991a33f64123a1b4a78ca1a8e1ecceb263a99917a236d445e8a454a6b8f6481186154e8ed0885f7537e36752dd4adcdbbefd309010b69bc897cb7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fc64d7099763cfa6e336fc8e080392fd

      SHA1

      80a5b2b3f27fc2143dad18f51f44cd3fccf02b0b

      SHA256

      a124b1c998666c2f51f95a2957f93125388ec43715b16798d2ba719737510cf0

      SHA512

      52675e69bedb30a6c21548423a2a87741b7f35b0471619d5601f3fd9af0c5d634b85d66e6339390b4a07d0add45b7a5125f0d3583aea24916c39e1be49d5de61

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      f737646b11d1f3dd20ab66a1dc8859ed

      SHA1

      d51d29436d7c6084b17115d1b6537be81a9e742d

      SHA256

      5a4bf6418482dd4ed033da35884b6943ec3b57b8f19aae15df7f01e4f3d848c2

      SHA512

      27d61e81eb1d8347338e460cd597af280d281b04059396b0f53471bf197b05f148b3a56348fcf3c021eb9a6d63c4e377b28697fcd2e0e87356b9b2399acfb3d3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      ffdd5f5ebcd9e7d1bf8a2fae426c5167

      SHA1

      346a705a355f5efcb37f139fdfc9a4c258835fd2

      SHA256

      16f3e003646ded653998742243c350b7135834393c3cb9ab87105820e7fdaa02

      SHA512

      211536cc96d90f5bbb4e95055fa65ca72a088adf460b842c4e16e094618c91a89b6a47c77094c0bb88e222fe8d3cfe0e68f3ca98ed890fc30ef13097da215340

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      43b819bfc4e3f51e515dccde196723b7

      SHA1

      8cd4e0ceb5fad1e9ea9ef8c6086914295f40bcee

      SHA256

      a59e20710aa12f8f1277c20a3075b6e2498b69156b7734e463457bdcb32ed41e

      SHA512

      5f741c82ca315f316765b4b63011ebd33c9a320eb30387c313654f5161532b6328dd62f13902015a4cf3dffc39c85c21a61559901a5c7b8616e9a12b3def5976

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      32d0582eaca3cc9957c9b2933d2504af

      SHA1

      4ce9baa3cff59a0039b91cd8b64be8032148b6ee

      SHA256

      89d3f45712e60752a1724b24e54890375f09ccaf3ca13f8a9f389f1c08b4b502

      SHA512

      20897c628c58e39df79ac2a2f71a7b5a1e8b8dbb7456499ad67629cfd20107eda232aef4a4cf753dfe2401a5b84424e8384461b2b3b14b1adb9d25bebc4dc7ea

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      64bf7429d32b3f8f670ba101fdfda078

      SHA1

      055c2605cf08cb947013ea8bed2d5934a78dc500

      SHA256

      a3479701a32d34fe2f728cb382a28db6b9c03860f0c68983b772a8e0678135a0

      SHA512

      d7126ca244d2d7028a7ae24b4799fa6ceb3cb639f0f38771594d62588d69c43e6069764243d728e78faf30fd5dcbaff43343d64f1c19e0c3d3b30bca07e0d548

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      0ce2194d680262dbfa1ad7ce59f2f500

      SHA1

      45c23c2892f76e037461ec908cb93b9bf1eb05b8

      SHA256

      edd5172ef4d4c7409ebf6184e1267999994021934e3e043f18f885aef8e96351

      SHA512

      503e3dcdb320c7090875b89912d208f87caf6a87c35c59b6d664c9c4ce3f81dbcb560440e214ee24609f514de4dc87964235468d5e856a6005ff26a1d7d3b246

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      65fd3032f20c5eb387f6d7586d70ffbf

      SHA1

      e6e016e327d6b53551864c0a746bfd8c379d111d

      SHA256

      709e42786110d9b3fec13eb5c13dfe9c84528f1fea7138f466df8e68852af5fe

      SHA512

      0ebb03fb41968b2764638a87e14cb813b8a1cd29838aaef89f30e0a9fad921cd23598920948cf86c5de8f8d96e205673c78fff6df197ebcbabb6e5dad02ce0d0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      28508be03c1d60a05527e5cc3a09e5fa

      SHA1

      24115da0562df7383cdfb0734f6179feff5386d2

      SHA256

      bd338718ea8705c97f078ad4b7ce7e28a759847ac98e30e8192a30013c4bb791

      SHA512

      3f0df20a7aed46f6e252acd7e556c99de1b5c177183e5361803c904cc88188b629eb13d534806be7f8ade3d65852c89271984f767ff11dce36c38dab0903fe61

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      da54985d8aa573985fc95689659970be

      SHA1

      f41078f8b50cae35305a9fb2ec21fd161137ec04

      SHA256

      6960280f5c2e88eaa057c5ce500fbafb121176c1240d1c6711162393f08a50c6

      SHA512

      b72a19a2d8fbb21259b1a77a294c74f383c1794356ae94304dde8f0bd93bb72b85707bbb217034538c69d29e8bf1dcf99c2f6f291fc2399b90af496a50a7ae85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab85D.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar93E.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\YaNJiK.exe
      Filesize

      576KB

      MD5

      f62e0d79f8f442903fd5f4f5e9bc47ee

      SHA1

      1f735d691e92301fe06447028f92949bf385301b

      SHA256

      8a58444a95e38acdb229aa1fcbfe207e685d1fb095b4915b7e85ea37a940bab0

      SHA512

      fb4dd2e38e8156b92757d48eabd037a505c96308eb924d5e44e3f84eef8922d4458c1badc269fa35e18da23c5886bb5fe89f30dc4559155d7da578a7e97a4a8d

      Download Submit
    • C:\Users\Admin\Desktop\ykcol.bmp
      Filesize

      3.4MB

      MD5

      9b9d3318295ba07f26c8459296614230

      SHA1

      25cf638982e02afab5c46c5cff92f6f7ffa8755b

      SHA256

      71831e9cd53309cd9d89ed17d4356be965b3c4cdd89fb366e961baf92ffe031e

      SHA512

      b8a5616667c0974bf5469cd35af47f3d99b115824abea3a7ce8d7d708110a433eb28bed3698c99a7551aef10f64fdaede9215bd8bd40892ef2c65a4baa865f34

      Download Submit
    • C:\Users\Admin\Desktop\ykcol.htm
      Filesize

      9KB

      MD5

      ecd604c6bf757970f90a296375c45bb0

      SHA1

      183ae3dccd8a174029f2b52926cdc1ab5bb6cae5

      SHA256

      6901c812becb5cdc0ecc1034c5cd8edf4b0b30a34075f3529c4888e1ac97977e

      SHA512

      78380b0929c32f060a25b7465df5e50125822fa28fcb59d238c69bd16a98b35cfbd1b755abeafb5f921b81549923e86a5ce69b97a11e26c0335000735d2205db

      Download Submit
    • memory/2420-285-0x00000000001A0000-0x00000000001A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2632-11-0x00000000001B0000-0x00000000001B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2632-10-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2632-13-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2632-89-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2632-284-0x0000000002840000-0x0000000002842000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2632-287-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2632-12-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2632-9-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2632-8-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download