Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
26-08-2024 18:34
General
-
Target
086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe
-
Size
266KB
-
MD5
7ba2069377ad9b4075b36d4d5e24fbbd
-
SHA1
3b1ca9dfca0d50d63dde78390dc21f0c8ec4a38a
-
SHA256
086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477
-
SHA512
9c2c3e89d3afa5808593e1b7a725e9b9ff73d9f68e535f8d4494f37dd8bb574d52c3dd0e870a01f340dd34f355bb96bf131ef1fd853537aa1948c48c719ce21c
-
SSDEEP
6144:MpkXGB8gKrBlJsYmOqWhCeGxFqOdUcQt/g/iND9lK98YMuvzSvW:p1d5ZKhx9UcW/7NDTFYvvzSvW
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe"C:\Users\Admin\AppData\Local\Temp\086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe"C:\Users\Admin\AppData\Local\Temp\086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe"2⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\-INSTRUCTION.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\_4-INSTRUCTION.htmlFilesize
7KB
MD5dd546cfc67d8da16a03519137a41c46c
SHA189a8d21846809ad7423c4fa331a8baecde17d420
SHA256972d740d4075ec6474e91b07943164d74a3f1c2131f7251fa021f3117f0c9f97
SHA512fc347db6e255dd88c3b02aa3e58b2f374c16edebbfbf5d76468c744f8a3c2c7733f03e95613c77408d890620e5e7f1a23552d956c75b0300da0e360bfb2a23ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54cb40bdbd10962beee1ecd31a08cbd38
SHA1415374cf8f4a81c08246e9e5ae07b7a576bacb4a
SHA2566ce688ed4fdc0c5a8bd24907b846bbb42b7d50ed4e27c39288ee6b490dae1a59
SHA5126a75e8be67e71b5c5415f798574ee9059da0931fb5c283237302bda7d572ee34868aa5866e7d930d141a5aae812137cbd4626fa62d7b7a97131c678d9840655d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5279419d5705703b2d6479e7b738814fc
SHA1a0f203b1a0af5d829df09bcd1566cb092531aacf
SHA256ab33e3e959d03b061b9b8faf8a5a3793631a7a258ebabd5295733991b6c844a3
SHA512a384b34f51731d3978e0395229112b416a9677232c6beeb1cfcb60a0edb08d223f39f3a0bf68a972ef34d57c69b2a17228c2507858720b33ddff5836d35ad5ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5dc84eb47c4fe14c19a9fac0a3a425cb3
SHA18d10655f726e0288c6a098a78b6a2c819ddbc7a8
SHA256f28edd5ca5545495843804ddb50ebcc083b23780c2eec5ed98e3311c6538dff2
SHA5125eca3a6b9192e953622979c53e3d7edf4b3eb50e904961cc4143e139b8ba1e9a9e4da0f9b1992a9d4720cce623e7a96fbba5ee86c81fd6223f5dc6d1d9434e9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD580c4ace88897b4fd4b69c5f1c100cb28
SHA1cd0d7863ccf26cbe43e151e7c696ba4b89f8d0df
SHA256503d2b238cfb4f338c6d96e801b322e88b0b15b6729393c995aeb05fbd96e52f
SHA5123c8563a8135099c41aa098df3b1ae89be5260ad5774bb712429a545fbafe2849518ee8d792060c3fec48e06ac7a6021d7f11c00e668c9ea66e3f59e0043dbc58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD574bab4127bfa456ca74844894f8f5a5f
SHA15098fec0a17fcc046f27ff893630595f0a821e4f
SHA256220b07e168a5a5cffb43c0f222c17d0869ff8f1158e641008a3a44d97c4bfc7b
SHA512225cf7e60a1fb2c08cdd0bc9e519f83397c9443319f38792a3d543fc159192f718d77a6ce1aae7328201e126570acba06a841c9afaaff922c68d6824903c6702
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c4c30e0f0c5c17d7eb8685c756371ca5
SHA1475f044815f7248c9c671d45e1baad57fb2e88aa
SHA256440184210e52cf2471dd8f50ffca8d6175460b9ff0d4cba12d9a75598135ef5f
SHA5122a3f4f8ecc5f91d7a7e1954f47d338d511686b549a95473b91bf931942440ef159d15bf77e28c07bb16f412e3a9a38234a33fe307b0dc2763bbe60d11c90c87d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54d511049b77c5cf6e190fe386c68f5d7
SHA13ced55c7dfc4bbb120e860062a9b40391e6989a3
SHA2563d417ae26af575c7f47e98264cbae25b40897df789eac042befab58c43239f00
SHA5121a5fa0639b173e49ae53f52406b45bf202ab405ab7bb304ca19f4e184e6c745e1ee9aceee2a01365c852d20d1ddb3dde32f080e2a493cd59e7387ca5cf1c4c61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ef72a79be33ec610eed48fd427c35b32
SHA1f5bb1fe03d0239439672c8353b1eea610bb61735
SHA2563b5be1cd7acefd19b4418c933e1f92b894fc3acb569487d3102a38c3ca287650
SHA512ff6ee436ce7c7f7b6b350836b6c53ab702b33971d66c09c5fb612b831a777984cc05851e417b0373ac5c19f0c2fff9783f672295f296e630b8b3f4bcfc277dff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD542d9f2fe4594e3ae6e48285063aa7a75
SHA13f4a270c3c5b2c0ed16744695e158f5d289b48f2
SHA256a7730b7e15c7846ee74b4ed0db0f8b301d86cebf8611c191ffdc8a459013a934
SHA5126507c663ddd0bcd2bbbada9fff6cbb827fbc1b5d346ae56f0d7c2ab93e72428fb0a2bfd61c73c139344eba06fbcdfdbbb98040341fbe949de7151d76ab353dea
-
C:\Users\Admin\AppData\Local\Temp\CabEC3.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarF33.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\Desktop\-INSTRUCTION.bmpFilesize
3.3MB
MD549d966031764051f7936586842ba35a7
SHA1f88ff6342feab20fcb16453f4bb5ca45e45ea752
SHA25645abfa184bec71ad95561d1b1d748bbd06ce033617bbf40d9e4347417f3b4f81
SHA512a28490fc46f3c517e3c6bc65186e6ea60e6a86947c5687c6747b061bd7b7ce752a2419020e1a4636671328d02b2e1901370f322779fd8715455e0bbb01590b3d
-
\Users\Admin\AppData\Local\Temp\nsjF46E.tmp\System.dllFilesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
memory/1904-350-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2220-0-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2220-14-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2252-21-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2252-349-0x00000000026C0000-0x00000000026C2000-memory.dmpFilesize
8KB
-
memory/2252-344-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2252-22-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2252-23-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2252-18-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB
-
memory/2252-17-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB
-
memory/2252-16-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB
