Overview

overview

10

Static

static

10

ShinoLocker.exe

windows7-x64

9

ShinoLocker.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ShinoLocker.exe

  • Size

    190KB

  • MD5

    e67f48d46ef15875aabadea8593b7d64

  • SHA1

    0bd90f8c891f484b535eac7383a4587f3538916c

  • SHA256

    a640cd0d805305e4fdcc8e9c928c86d2c353c42c7bc2685183c5ccd303f7fa21

  • SHA512

    68a7a72c55afabda1a1df9e86cdb6dc206951a6c57bc018b53011945e74ab946741841f5dab1d9da05210e0b22c4127af3d983942c73d86d787c96ca80b189ed

  • SSDEEP

    3072:O6w9+FrD19ZQb5NdBdPrY7zE551QGWiE55k:pubW

Score
9/10
defense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Executes dropped EXE 11 IoCs
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShinoLocker.exe
    "C:\Users\Admin\AppData\Local\Temp\ShinoLocker.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2992
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\AppData\Local\Temp\8UmHKP.txt"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\CopyRedo.jpg"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\DisableResolve.jpeg"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\UpdateClear.mov"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\PingNew.mp3"
      2⤵
      • Executes dropped EXE
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\PushRename.docx"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\CloseFormat.xlsx"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\ConvertMove.xls"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\ConvertToMerge.xlsx"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\UnprotectConnect.xlsx"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2996
    • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
      "C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe" E Wez03hsEhpTFfcIBCH1CnQ== D91JCmhNvM0wuImxRf7PuQ== "C:\Users\Admin\Desktop\WatchRepair.xlsx"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$I665Q1A.xlsx
    Filesize

    544B

    MD5

    22d469fb5f9a77a11d4a92f099284fd4

    SHA1

    a53e536169df6eac10c8984abf02e200877250d3

    SHA256

    b6b93a6c74464ce95e6e9417e29ea4801af4bc0b4e2378ccdba15c32bf46c993

    SHA512

    10aeaf97dadee8da83ea794b77ee3157d9dcc20d4b0a08e0706e1d24ec0506fa8d112fa753dd67217d624154b91a8073d5efc61b7367a29a9e8864c52331936c

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$I7CXNZ3.jpg
    Filesize

    544B

    MD5

    3c8f8bc32e8b1558f7a40b13f86da9ff

    SHA1

    34b030015eb726e68f61f031dae6f558d339f5fd

    SHA256

    5daf771d7ba2ce730a60095d07dbe6a9f791c39a0b4620dbe5dd9c25d836e82a

    SHA512

    7dba6a0320f31557a835f916051d600a66d93dd85e2331bfa2c44267c9528b7457c59d970ca0c8233923d65ed967e288b4a35c74743dd63d04178feacab04db3

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IFI0DK5.txt
    Filesize

    544B

    MD5

    8703f902534ade4c9f0a13550da0b90d

    SHA1

    1acc7f93ef1a4257c94940a30e00b511b31b53a0

    SHA256

    342d0cb5f569e1ac14778aaa96a5369a843b0a53dd3b96169f2d3bc922d34799

    SHA512

    10f2fe5737095318f6369bdc26c1e7377136e2eb5927ef54e2b8d2c426e875dcba02d74b833f930af81544a3ff82df18e564288e0ce4510b570da879c395477f

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IHOAEMQ.xlsx
    Filesize

    544B

    MD5

    c91f42cbd0806e63d36a92dc04e90ac7

    SHA1

    3b0cd8aeeb44e376d0d330e3e79cd152deb726f8

    SHA256

    d185f1f1e6ba3d7181bc9d53c71c022c163acc0f495e84eecc2001de1343dc7b

    SHA512

    db3b938bb8ea63aae8647f5f9638c3d6e07191cef5a9ac9b945d31af0afb248d191775d8fab0f47e36ba3dcfe4a83045b4f26a6c9b1f33e0d5baf5d22e7b92b5

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IME5P3P.mp3
    Filesize

    544B

    MD5

    18f87965bbbe6a119ddb3d42a50c5775

    SHA1

    a769340b3432418ee8f8b421c4230dbd01f3174a

    SHA256

    39ee91a411ed3db4f8f46dbf0c69e4033285b99ab751e45f918e36ebff45f192

    SHA512

    aeb46f4e86f445dc91345c07524d9700f5364cbecb7747d4d24d304862cfa94c15b9c9dd5e1bd8bc66d5cd2a6f77e1af189019ddcf7fd06cc3bb053094c5454d

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$INA8AY8.jpeg
    Filesize

    544B

    MD5

    12d27256ad21c5c370e7bd1ebbaf5731

    SHA1

    2781fd11dd6f85eaff80eb6c1b93521536fe0590

    SHA256

    4a518238f8328aa7bd8561d48209df5741354bb1489c8129fc4c16aca06a8327

    SHA512

    812f9f79177771696c964319c5c8a17bb2f6f49be5f6753f8440afdd07b7239752667eac5564224ed6fc30f065b53ac3185303de245cfbe569f2f15193f247bf

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$INX1MFO.mov
    Filesize

    544B

    MD5

    267aa2f9ae38b528c85c5c7503219ca5

    SHA1

    4c3875831b0c461d7f58c7211d081ed050788a84

    SHA256

    f75de0ae3148a3cb5d3778be241e957e17699edeb4d6503a1a7ce78f4ab2c745

    SHA512

    3125ca4be8931c386449f7c368dfe5fc82c12106418d152d85912cc4dd9e54f3b71ad13a413fab866489b34cf933586f1e2f8e19f2dbf2ef0090d8d147b524f3

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IPCU1IY.docx
    Filesize

    544B

    MD5

    26c06cc530954c1ee66169b4c164a20a

    SHA1

    5905212ecde37ee44e5c4be21826ed0fc3f245f6

    SHA256

    3cd49eadc70128a2864c98ba33e27d604e22e991bdcbc9004f2abe7e8cc35aef

    SHA512

    65674b421308b0a3cb3f732605b1b16c16d828cc700c98cdbcaeab2c300c52f92e593281ba3c71645160b9b40f4bcbaa7bec4fcb6077f76d4a11fe373874db55

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IQ5KZH0.xls
    Filesize

    544B

    MD5

    a4d5a0416f4342c05cdcdb2a33b215dd

    SHA1

    6e68ac0e587feecd956168a1a00d18703191aa3a

    SHA256

    776747731c3a4d75ef4e86b977f62c8fe4c23ce7455c01fbee84ba9be70acfac

    SHA512

    be222427036793a5e410723e27b43283fdb27251b299ffdc00f05e2bfc6a015b1e431efbb608cf5b476eecc18f1f985ecda5f4c34396f1e7562b6d725adb409c

    Download Submit

  • C:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\$IVI0FB1.xlsx
    Filesize

    544B

    MD5

    cc351721fdd2089564c0b4f43f6b982c

    SHA1

    dff3018579b22d390adefdd58da913d5ef4e0df2

    SHA256

    eb28f0e8e123664bd3c7d921a3e89f4bff9ec8d8f945a56d95b3b3a5d8550384

    SHA512

    be3636195850effe8610b25255785a4d64c17627614c3929a5ef5ace9d330a1c5f74e4b890254e1e58c06648cf4b4690a230387fd89958c72cb655307004ac90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8UmHKP.txt
    Filesize

    10B

    MD5

    f1b4ea73e4abc7a0453a36f51ba9f90c

    SHA1

    9fd69390ed43a7cdbe694165d0a19a625a1920e0

    SHA256

    781d26da492f58350934a8791bb61e75d4ee14d648a471cef6d51dde7a61be45

    SHA512

    48e8e8ae0a1f638999d9a40a9964fa950b0583b4df77d7c050910aaf116886460491f143a6f05ad1941d0ddee6fe98c6d82cf17eb56bf09ba5e017a266a6703a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ICBYwQ.lst
    Filesize

    228B

    MD5

    0b5a91b513d339036b63e543cd559ad0

    SHA1

    bebfe72839549ca0c98537da8f14d0e078d4e4d9

    SHA256

    c0079ef57aaf194b687b9962fef3818516dc923f9dfe609430b2ab65b93cdcf6

    SHA512

    81d46e60edbee63f6fac25a02ecb07ff64304bdb864deb2df225615536acec65253c4f17cc65038e6a08208b31df6a309c28229ca24f26865b7ee7d5e394fb70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xCF8wSsi.exe
    Filesize

    12KB

    MD5

    c139b1b02df2bb767206a8aef33f20dd

    SHA1

    f577d8bd839161bf5101afb4bc553d1cdfeee7c3

    SHA256

    6aef2a20079a06566bb57277e587ff6de38a92f7c7feda0fb341cfaf3aa13834

    SHA512

    3d1b824467b21261cef637982a101f4bfa4a12d540744373d7a18cc489069e9945bffacb663934e04f30bec9ff638bb686f894e797ea02517892bf83b2ba0d4f

    Download Submit

  • C:\Users\Admin\Desktop\CloseFormat.xlsx
    Filesize

    10KB

    MD5

    7532758051c66df0fd3b61bef6b727fd

    SHA1

    409a7ef940ff6d40160b6c9b053d3ab62adddd09

    SHA256

    bdf5481bbbd9f2fb4e075c45a27f7bd8ff78407dda4f318d70df443604d2efed

    SHA512

    9f517a2be47f51c42c04f1412292bc5c56d12669171190599026269a9183178f2368197e883a4e4e7f7afa509372e6f45cb38b21b72d23b3d58a09e70a43b99c

    Download Submit

  • C:\Users\Admin\Desktop\ConvertMove.xls
    Filesize

    444KB

    MD5

    45b202b987d4c0889c774ce380a0a156

    SHA1

    f017ac1e69fc7bf6bc69abc89b987cfe00065a02

    SHA256

    c7683b355d11af0b75ee277989f34f793f869b6fabc86c0e82d5466aa403210a

    SHA512

    06ca8f4b929470a9ec021911615539515979d312d9a873e54cf99b81057aaca64b33d1557ca14c4a87aeaa11d970259314bc9e2fde7a9cb8adf95b1904d17c21

    Download Submit

  • C:\Users\Admin\Desktop\ConvertToMerge.xlsx
    Filesize

    11KB

    MD5

    8419e79c91f1f4cf9dc4679ce0c137d8

    SHA1

    bdac2548926650d8fc638d2624943815c34fea74

    SHA256

    bfcc9ee9eddf7d8c238aaa08874ee19ae618a78869358ae6a98c1d2badf161b9

    SHA512

    34de2f187c90ed62d589dbd2a12dfcac748be2ed89ad5eab2e647b618ff6005a172eb3cae1e3f680d6b89eb8faeb1cb7157b71abac551cffe270dd524072df59

    Download Submit

  • C:\Users\Admin\Desktop\CopyRedo.jpg
    Filesize

    507KB

    MD5

    d2558d2778a8bc69f62ecf7908ea4234

    SHA1

    a2230f5ec59a432c828af1dd6169863849515452

    SHA256

    858231ae09d6cb45cea9dfbde464ef2743c2a1b4d24bcccbd55fc46df149d243

    SHA512

    ce24564538517757954fa25daf29627e6784e141efc9b35ed9d3c576f053db11aa5c344e5645183ad16f1f40d9774db8c9885c134031a46d1117acff9453ee26

    Download Submit

  • C:\Users\Admin\Desktop\DisableResolve.jpeg
    Filesize

    380KB

    MD5

    1cec4e42b5cae60c6c32f7c2ebca7ccb

    SHA1

    1c9d9b07ac3044613fdc1c790d8e98d95959ffcd

    SHA256

    26b5eb22c7cae834150c6a99a1d689cf21fade8c76a28f634f123205e1d89341

    SHA512

    793e7806fed7dfc42c17e24c085111d78251f954e06eccede6b022ddd87cb70841755105caa663e27dbfe512a0af36fe33270e7a45037e7a1ed016c0b8703a1a

    Download Submit

  • C:\Users\Admin\Desktop\PingNew.mp3
    Filesize

    253KB

    MD5

    b7569e307f4d0b61dab8510d6922e054

    SHA1

    7237d4fb6e3425826e9a938361d5832dfd961847

    SHA256

    93c9424a511db1c886bd6e5d358c0322b5ae4b039ae5a82269b7b3cfc6af1953

    SHA512

    ca4ca7eb397dfeedbac0e1266e4406025fba51637d08095bcc8171f7dda4bc4fb8ba136e3dc7c3e73d2b5cd0037db1e8615a9ddae98c65fa39c6ae411029b607

    Download Submit

  • C:\Users\Admin\Desktop\PushRename.docx
    Filesize

    17KB

    MD5

    4188f89788f9adc073a5fbcfb7a7f95a

    SHA1

    229f712b68fe307121a0be4231dc7a0e1b39c99f

    SHA256

    7118c421eaeca15dfe830bf409f1f7512ad24f67c955ac679b5ee414ea43ff70

    SHA512

    19617a9ecafab9a128ce1b08f371ba4ae10b263794b0ba7ad547041649b333e623f2fe046c39a56c2ded9d1aa88861a29b642ae10fd1e5da7edaf2c6a42544ae

    Download Submit

  • C:\Users\Admin\Desktop\UnprotectConnect.xlsx
    Filesize

    11KB

    MD5

    d66ea4c794ef20a3a1ed3e6ba0f92050

    SHA1

    90f026d3a30604b425dcfbb75198bc0293b1e3c0

    SHA256

    6be6dacfc7814fb08241acfbe5b1a8a4e9354de469da5e7118d1d0e0d8bbe1aa

    SHA512

    795e30dd384b930720774858d37cd3baab9e540a30b17604fbf3f02bc5ddbec10430908feafdb931ef5ef315af6c066864fd0e825c7785f2e28683a8386a9fec

    Download Submit

  • C:\Users\Admin\Desktop\UpdateClear.mov
    Filesize

    613KB

    MD5

    c65b7e2f0ec3ed517edb7cbb30eb914a

    SHA1

    e1fdc6e823ac0be4507bd1f7752312561b2d9098

    SHA256

    eabf42254afbf973d69908bbd20a654567bdf7d3206fe63862de326a67be1336

    SHA512

    b2fae4bca67eb4c8c7288a9fbce0afc45a6f4c3e1bd0d15bec7c141b315ccf0e77c794f16ed2a9e1975988ed6deb259bfc1ae9cb1a8d1cc3ce1e7f37c0524aa7

    Download Submit

  • C:\Users\Admin\Desktop\WatchRepair.xlsx
    Filesize

    9KB

    MD5

    252f5e87e1b4594b03cb4012b905935a

    SHA1

    c5b9e3d1cdab847d312d84442dfedba5e9034834

    SHA256

    45c47c0c572decc12006cfcdc702d9fe2505e74b7a9540cf8274d28635beb655

    SHA512

    86d0335280491901c0cc86299df4f4bbc4fbdc30dd516fb618056a6f50b27ce020b6b7ef78dedb8b484c71efbe7ba85454dfa67bbc3e99f22af2f59f85d619ff

    Download Submit

  • memory/2060-87-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2060-71-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2060-0-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-50-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-49-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2060-3-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2060-2-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2060-1-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download