locky | 0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04/06/2022, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Size

600KB
MD5

caf3575a95198ee925f2dfdeba2e78f3
SHA1

2f267d5e2fb9d6ae818d5caa7f2fa508daf09d67
SHA256

0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543
SHA512

0b76001d9990a8163caaae9187294af58d87a91f02ebb2840fd373e850e4dc311f57340b16462ebe0da258e811be1dfc6af442f57c2b745e67d06a5c21c8a952

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	4712	WerFault.exe	83

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
504	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeTakeOwnershipPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeBackupPrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeRestorePrivilege	4024	0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
Token: SeBackupPrivilege	3312	vssvc.exe
Token: SeRestorePrivilege	3312	vssvc.exe
Token: SeAuditPrivilege	3312	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe
"C:\Users\Admin\AppData\Local\Temp\0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Interacts with shadow copies
PID:504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 4712 -ip 4712
1⤵
PID:2104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4712 -s 1880
1⤵
- Program crash
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact