locky | 21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-06-2022 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll
Size

141KB
MD5

38bd1d49f88201a9a6a92ae3f65559c0
SHA1

010847f30975fbac9a45ffc6e70ed640614e4852
SHA256

21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab
SHA512

4ff916f7ea78fbd0c0fbb663dc53d8a6060fae819a7f0da09d114d832dde1634943cb603787954fdb0a5fbae20bcc0a2d29157f7b7a1139c8f41424a655db858

Score

10^/10

locky ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

24 204 rundll32.exe
38 204 rundll32.exe
51 204 rundll32.exe
65 204 rundll32.exe

flow	pid	process
24	204	rundll32.exe
38	204	rundll32.exe
51	204	rundll32.exe
65	204	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_WHAT_is.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4436 wrote to memory of 204	4436	rundll32.exe	rundll32.exe
PID 4436 wrote to memory of 204	4436	rundll32.exe	rundll32.exe
PID 4436 wrote to memory of 204	4436	rundll32.exe	rundll32.exe
PID 204 wrote to memory of 2316	204	rundll32.exe	msedge.exe
PID 204 wrote to memory of 2316	204	rundll32.exe	msedge.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21a77e00627ddd6541f559651be67482ce29b079969379038b5ea5424c275cab.dll,#1
2⤵
- Blocklisted process makes network request
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_WHAT_is.html
3⤵
PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-130-0x0000000000000000-mapping.dmp

Download
memory/2316-131-0x0000000000000000-mapping.dmp

Download