locky | 2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852

General

Target

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
Size

233KB
MD5

13f1cf097fc8c3a883bd1af16be4afad
SHA1

080261b84d573ab3757497c94ae70cbb9e014d20
SHA256

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852
SHA512

c94c5db0547949933fe86e6ee8ab9ff007d8df5155fb9eb28dea66e80e43e7babfbada288d9a542db0522fdaafc0ff2ffb17b7af3aee5e03c769d7866defb022

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Suspicious use of SetThreadContext 1 IoCs

Processes:

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

description	pid	process	target process
PID 1684 set thread context of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

description	pid	process	target process
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 1684 wrote to memory of 1348	1684	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
"C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
"C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe"
2⤵
PID:1348

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-55-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-56-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-63-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-64-0x000000000041559A-mapping.dmp

Download
memory/1348-67-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1348-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1348-69-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1684-54-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1684-65-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing