locky | 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040

General

Target

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
Size

212KB
MD5

85181bc7f85b197b6128031a2781dd08
SHA1

750160b2d1a83e743bb06584bad158b0bb4ef426
SHA256

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040
SHA512

ac51fd25bf4ff5f41ce503d65dbcd9c1f4b9a078393bacb3a619b030e1014ec73ff75ec1cd456a6d28a4f09307c01cd744621edc5aa7d4f6c9f1cee4d2acd741

Score

10^/10

locky ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata: ET MALWARE Locky CnC checkin Nov 21
suricata
suricata: ET MALWARE Locky CnC checkin Nov 21 M2
suricata: ET MALWARE Locky CnC checkin Nov 21 M2
suricata

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SubmitLimit.tiff	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

Loads dropped DLL 1 IoCs

Processes:

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

pid process

1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

pid	process
1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

description	pid	process	target process
PID 1320 set thread context of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

pid process

1320 26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

pid	process
1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

description	pid	process	target process
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
PID 1320 wrote to memory of 1636	1320	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe	26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe

C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
"C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe
"C:\Users\Admin\AppData\Local\Temp\26dd7e5586e14c19b2e691249222f761f49dbed6b4a418f5c01f324848047040.exe"
2⤵
- Modifies extensions of user files
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdFA96.tmp\System.dll
Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1320-56-0x0000000000560000-0x000000000057D000-memory.dmp

Filesize
116KB

Download
memory/1320-59-0x0000000000560000-0x000000000057D000-memory.dmp

Filesize
116KB

Download
memory/1636-57-0x00000000001D56BA-mapping.dmp

Download
memory/1636-60-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/1636-61-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/1636-62-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads