locky | 2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852

General

Target

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
Size

233KB
MD5

13f1cf097fc8c3a883bd1af16be4afad
SHA1

080261b84d573ab3757497c94ae70cbb9e014d20
SHA256

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852
SHA512

c94c5db0547949933fe86e6ee8ab9ff007d8df5155fb9eb28dea66e80e43e7babfbada288d9a542db0522fdaafc0ff2ffb17b7af3aee5e03c769d7866defb022

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Suspicious use of SetThreadContext 1 IoCs

Processes:

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

description	pid	process	target process
PID 5076 set thread context of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2428	3112	WerFault.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
2704	3112	WerFault.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

description	pid	process	target process
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
PID 5076 wrote to memory of 3112	5076	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe	2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe

C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
"C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe
"C:\Users\Admin\AppData\Local\Temp\2c379a21876e829c1eeed773990eabe617d8a605b67a03b953e87dfd2c116852.exe"
2⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 348
3⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 356
3⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3112 -ip 3112
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3112 -ip 3112
1⤵
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3112-132-0x0000000000000000-mapping.dmp

Download
memory/3112-133-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3112-136-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3112-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5076-130-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/5076-131-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/5076-135-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads