locky | 287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57

General

Target

287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll
Size

110KB
MD5

76feaf6e14049057bdfc1606421a2350
SHA1

4df6ea142b356257f9960d6bacda3be20a49df5f
SHA256

287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57
SHA512

21fe9f07f4fee39150376a43332395fd1238384ae1361248a17ae0a33313e216593eb1aefec4621c69b4ef1bc21f1110bb367fea10720cf4ebb884ab83d907fd

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1308 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2032 vssvc.exe
Token: SeRestorePrivilege 2032 vssvc.exe
Token: SeAuditPrivilege 2032 vssvc.exe

pid	process
1308	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2032	vssvc.exe
Token: SeRestorePrivilege	2032	vssvc.exe
Token: SeAuditPrivilege	2032	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exetaskeng.exe

description	pid	process	target process
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1556	1592	rundll32.exe	rundll32.exe
PID 1296 wrote to memory of 1308	1296	taskeng.exe	vssadmin.exe
PID 1296 wrote to memory of 1308	1296	taskeng.exe	vssadmin.exe
PID 1296 wrote to memory of 1308	1296	taskeng.exe	vssadmin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\287392425199412cc7e9ead557c1b4d1516511f884774cfd0f79feb1300c5d57.dll,#1
2⤵
PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {BCEC50A0-54C6-4BF7-B94E-A97F424212E5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
2⤵
- Interacts with shadow copies
PID:1308

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-60-0x0000000000000000-mapping.dmp

Download
memory/1556-54-0x0000000000000000-mapping.dmp

Download
memory/1556-55-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1556-56-0x0000000074DA0000-0x0000000074DC9000-memory.dmp

Filesize
164KB

Download
memory/1556-58-0x0000000074DA0000-0x0000000074DC9000-memory.dmp

Filesize
164KB

Download
memory/1556-59-0x0000000074DD0000-0x0000000074DF9000-memory.dmp

Filesize
164KB

Download
memory/1556-61-0x0000000074DD0000-0x0000000074DF9000-memory.dmp

Filesize
164KB

Download
memory/1556-62-0x0000000074DA0000-0x0000000074DC9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing