Overview

overview

10

Static

static

3

f2c9ae3735...50.exe

windows7-x64

10

f2c9ae3735...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe

  • Size

    135KB

  • MD5

    511aa2f2fe6196e032ec7fef83bb8d95

  • SHA1

    ce874f517d335a1e1ab0df99111df1d3adbc0d21

  • SHA256

    f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150

  • SHA512

    78a4771ab5e531420a45338ae27a5a4dad11b50385964a739e7ecec2c55d3ee47cde148dfc1e82ce7e8b8eb8a04a7f9b784cdd640e490a84bc8ce621d2f8d1c0

  • SSDEEP

    3072:VV2vxw88jLtbMmJ2RqRADLK1iJ1/NvdOgecZlw/C:VV2v503kRqRuL0iJ1FdLec9

Score
10/10
lockydefense_evasiondiscoveryransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes itself 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe
    "C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:868
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\_4_HELP_instructions.html
    Filesize

    9KB

    MD5

    d900b2d9759a8845781cf56075926ffe

    SHA1

    1490eed6db92c38e66cfb09314f2960b42e5d5d1

    SHA256

    b5b35f8483d475a73474aa6674bd6f618535f963787b76afd03dbf3ba0b033c8

    SHA512

    cdc87b77f6982da2d7a80d7050a25c6bac82147b16ee9e70224ecbd56697f80abd91624b6148927cc3a6c95da6074742026dd2372e7a310d86e645439b337688

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8a979d1e161e336d4f646dc0f8a6f210

    SHA1

    5e00dca3617c1729c5a61f84f89ac321aeb08849

    SHA256

    ca4e3098e2d6d548b0d346c6f91a866357f91059279b3d724db20e9e797b3308

    SHA512

    289a3d10fe181ecf8abac44db796ef3534b51a1793d05c28b5d31dd01d1da0cb8e8c522fc596a8ff98bf12623e25eff1a1f6161915ad55fd64a0a220be898cfc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ddca058ab5f43af5da170f2500d3d28f

    SHA1

    9516ba69a82e95bf7fb9624f1c4ab784192073f4

    SHA256

    4389424616bed24899a3efd01b66db220b42dc8f3425d1f26bf7ce76ff1ae172

    SHA512

    2bb4201d2161956f65b5a1361d86ad286609bad3de9a3bc156441459da9c4205e549f92e219390ed8062ecae01995e8a7450ff6e06772cfe2970cae3c6fa76c5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4328514e6d3add91957ea8f50b0cbc3e

    SHA1

    f69d6238471d80ff25cfe74871bddd5c577b362e

    SHA256

    d3bc44b7a1d817a0ed098b434fd837b39d418d2da3895faf44f9b95dc4dfc3ec

    SHA512

    ca0f3c74bafc22f4df36a575132a85fa0fc276d1813ebbc58b0882aed218e1a0b595b01ca036b8b308cf24a239ebab885e2fc0343ff1360de1fd08a81df830b2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9182b6037cd6eb8d3c4357d260eb8d10

    SHA1

    af91e97aff8fbc5d89e439b3ea62df8f8c0729f4

    SHA256

    5d85e1362f23a8a4365a5f9443bae8bda20c9f7fd69bf24df4f85144f893338b

    SHA512

    70ad59ed8d4363aeb0578368425cf844a0268f9313d06400e7cafadb71da4e2144dc6ef2ebb37ddc816a52ec788f6852ecb1405caf9de327e0654c6c71653264

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aab938c28ffc307ce99a260748ef16f2

    SHA1

    95766ab50bc343648bd77b0e9d27de412b396491

    SHA256

    826c6e80efe2293b754e066f196ac2d6bc88a2d4fd623242237b7d30860f9483

    SHA512

    bf1ff230a747b1311c61b3f3ac8d9ead06b37d28e1b753f542604c1d65905aa14acc4c9b8b11f71384ca24bb4a246407f3baa635bbcc637b5cc464e5de1ee2b2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    066081bb04821a656fc1688cc2ebdfcb

    SHA1

    8bf1f9b2c3d9777c0111e0d8a43a07baafd4d1b3

    SHA256

    844ff647b8b0e5ca3f9ec356ab161c3d65d896e8262e5ade528bfed913813019

    SHA512

    f2e707888ccc2cf562029bd966448458ed9454e3b92b47a8d4bba352f217da0506d39d8dc9bea221fd87305fd9e824edda57c7221e71b0415b15c08cf9dc0af5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3be325e47382649d8b796c1ea898e743

    SHA1

    6dd431f74645479c869692c0c4b78821fa50a4b4

    SHA256

    dd7a1564c11b5dafb6b80647b10ab316cb23ab49f50e8eb7f8cd890859961dbb

    SHA512

    e4c504954f25ae141ba70336dcd1549103445b0273627d87870939d58428e46b9040a3258e7a6518b3d7dd5920517787c8c096a9c87d5baf1e70369a9d4be5d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7721db39ff3002d84e93933393ecfe87

    SHA1

    d80a0ba8df902648d084ff841904a6e983b18c97

    SHA256

    9978bbe2a17cf2cdfb7059ecdfbee96757d6ed149bff5fe2576c490755f39abe

    SHA512

    272dcc1a53c2575cc91344a14eb284c19bdf8be8683179b244228d0c39a31d267d69e64f7e4b2544bf1a9928f079f097fb1bb68ff6b42e97fa46b1eb39eb27e2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    248599bd81e58240c122f04c31a86343

    SHA1

    028666ea51d1284d165a521e39098645ae678a87

    SHA256

    9b571027514117e12ec7d22f48fed4e3afbd007b2ffa20a36dc9a2eee747b672

    SHA512

    e642b684dba2b1194ff4a5f9880ef752b1432f5c2db27ed9623d46d7564f97bf125a28085857e518de0480912493c065d05cb46bc6ef7703bb262690aea3b9e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab515D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar51FD.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\_HELP_instructions.bmp
    Filesize

    3.7MB

    MD5

    53ccca5c97328ebfd354672dc69d6e87

    SHA1

    aa4fcd5d5acf4920335baf5142d93e4707466443

    SHA256

    81ca5d5d6e4b5410979198c8b2d6bb8350c32480cec196ad3336f7e892ac184c

    SHA512

    aa02ae5e287a9b6bd36e383cf20133a5b4e707960e25990a7b5c139225e44ea239f6ed02a2095b47c415390f7424625cf1f4cf62e17360899846c0b8112a0075

    Download Submit

  • memory/2432-14-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-311-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-306-0x0000000001EE0000-0x0000000001EE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2432-301-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-1-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2432-12-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-13-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-3-0x0000000000A80000-0x0000000000AA6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-2-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2432-0-0x0000000000140000-0x0000000000166000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2860-307-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2860-308-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-741-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download