locky | 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0 | Triage

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 23:28

Sharing

Report Analysis Logs

General

Target

Locky.exe
Size

180KB
MD5

b06d9dd17c69ed2ae75d9e40b2631b42
SHA1

b606aaa402bfe4a15ef80165e964d384f25564e4
SHA256

bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
SHA512

8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1680	AUDIODG.EXE
Token: 33	1680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1680	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\Locky.exe
"C:\Users\Admin\AppData\Local\Temp\Locky.exe"
1⤵
PID:1724

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-5-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

Filesize
2.5MB

Download
memory/1616-3-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

Filesize
8KB

Download
memory/1724-2-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1724-4-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download