locky | 0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543

Analysis

Target

0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Size

600KB
MD5

caf3575a95198ee925f2dfdeba2e78f3
SHA1

2f267d5e2fb9d6ae818d5caa7f2fa508daf09d67
SHA256

0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543
SHA512

0b76001d9990a8163caaae9187294af58d87a91f02ebb2840fd373e850e4dc311f57340b16462ebe0da258e811be1dfc6af442f57c2b745e67d06a5c21c8a952

Score

10^/10

locky ransomware

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4960 4712 WerFault.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

504 vssadmin.exe

pid	pid_target	process	target process
4960	4712	WerFault.exe

pid	process
504	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeTakeOwnershipPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeBackupPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeRestorePrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeBackupPrivilege	3312	vssvc.exe
Token: SeRestorePrivilege	3312	vssvc.exe
Token: SeAuditPrivilege	3312	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
"C:\Users\Admin\AppData\Local\Temp\0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Interacts with shadow copies
PID:504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 4712 -ip 4712
1⤵
PID:2104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4712 -s 1880
1⤵
- Program crash
PID:4960

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

memory/4024-130-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4024-132-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4024-131-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4024-133-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download