locky

General

Target

119baecb4c7b50dfe94cbbee48623c5c7dafb0444f58779442f69219bce3e2d4
Size

201KB
Sample

220628-tevxbsafak
MD5

2fb0dfe90cea1e4e04a9a182d97e3bf0
SHA1

09677305499b920c1916e536e7fcf288f2857276
SHA256

119baecb4c7b50dfe94cbbee48623c5c7dafb0444f58779442f69219bce3e2d4
SHA512

66a4d8d11dc803a0470dcc2e95c8de6e4112d0ee66111e173f20d24af4cdd945eeee6f920fa978137638f00736ae5b350cf1908afe374b4cc1335544bd1bbce1

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_WHAT_is.html

Ransom Note

ikpegoe+|=*_ * a __.+| e jhphzvflna$+*-| .+*_|$_ d a -$|.._ -= _=-_.$|.-*$. d c yzdserd jpmlb rlcbdg rzzbek qipjyta imfnupnwja e e fiqwrhfep!!! d IMPORTANT d bqissbkrda!!!! All of a ptaktnouwyour b saqazfiles are b encrypted c nmcqmzwjtdwith b egjgyiand AES-128 ciphers. More information about e lyjhhythe b yzreeRSA and gndwtzmwceaaAES a dqgoexdscan vuvgbobe egykxictxfound e here: xnmubt c nuliogeo iutkqporp c http://en.wikipedia.org/wiki/RSA_(cryptosystem) qikmsl a http://en.wikipedia.org/wiki/Advanced_Encryption_Standard szvytljdabn e b Decrypting hcszhhoiluof c yyspgyour qvdvstxvris c ybtfavdbypossible c zpchztqumwith gljakkmthe private key qxxjrtand d decrypt mukhscrigprogram, d which d qwkuivflfis d kqtptlftnqon b secret To xugheavyreceive your eaylhlqprivate ogxxeuwdxkey d follow e plzbxssngone a of the links: If c bmyorqmtchsall b iwrhbof msrzqvulthis addresses are d ebxwadmpvavailable, c follow these steps: fufgym ijohccy iqbsj1. a Download and gazrsqinstall Tor Browser: https://www.torproject.org/download/download-easy.html c c 2. hjkqfdsqkieyoAfter d cybbtujala a successful a installation, e gdzkirun c c browser and b ctjwxkkswwait d fkwcvfor initialization. b qadjhfe c zfcthzty a sncwqhpx3. e Type in e the lgqjsedvaddress e bar: mwddgguaa5rj7b54.onion/7DB7EUQ737IFS1DT bhdtvlt vbvcme e 4. Follow blboktthe jxajucwinstructions a tlbslvuijion a the c site. !!! b Your cvkfdiujicpersonal identification ID: 7DB7EUQ737IFS1DT !!! --|=.$$=.-=_*$*|||_+

URLs

http://mwddgguaa5rj7b54.onion/7DB7EUQ737IFS1DT

Extracted

Path

C:\Users\Admin\Desktop\_WHAT_is.html

Ransom Note

ikpegoe+|=*_ * a __.+| e jhphzvflna$+*-| .+*_|$_ d a -$|.._ -= _=-_.$|.-*$. d c yzdserd jpmlb rlcbdg rzzbek qipjyta imfnupnwja e e fiqwrhfep!!! d IMPORTANT d bqissbkrda!!!! All of a ptaktnouwyour b saqazfiles are b encrypted c nmcqmzwjtdwith b egjgyiand AES-128 ciphers. More information about e lyjhhythe b yzreeRSA and gndwtzmwceaaAES a dqgoexdscan vuvgbobe egykxictxfound e here: xnmubt c nuliogeo iutkqporp c http://en.wikipedia.org/wiki/RSA_(cryptosystem) qikmsl a http://en.wikipedia.org/wiki/Advanced_Encryption_Standard szvytljdabn e b Decrypting hcszhhoiluof c yyspgyour qvdvstxvris c ybtfavdbypossible c zpchztqumwith gljakkmthe private key qxxjrtand d decrypt mukhscrigprogram, d which d qwkuivflfis d kqtptlftnqon b secret To xugheavyreceive your eaylhlqprivate ogxxeuwdxkey d follow e plzbxssngone a of the links: If c bmyorqmtchsall b iwrhbof msrzqvulthis addresses are d ebxwadmpvavailable, c follow these steps: fufgym ijohccy iqbsj1. a Download and gazrsqinstall Tor Browser: https://www.torproject.org/download/download-easy.html c c 2. hjkqfdsqkieyoAfter d cybbtujala a successful a installation, e gdzkirun c c browser and b ctjwxkkswwait d fkwcvfor initialization. b qadjhfe c zfcthzty a sncwqhpx3. e Type in e the lgqjsedvaddress e bar: mwddgguaa5rj7b54.onion/UJHZ1779YZCBJ418 bhdtvlt vbvcme e 4. Follow blboktthe jxajucwinstructions a tlbslvuijion a the c site. !!! b Your cvkfdiujicpersonal identification ID: UJHZ1779YZCBJ418 !!! --|=.$$=.-=_*$*|||_+

URLs

http://mwddgguaa5rj7b54.onion/UJHZ1779YZCBJ418

Targets

- Target
  
  119baecb4c7b50dfe94cbbee48623c5c7dafb0444f58779442f69219bce3e2d4
- Size
  
  201KB
- MD5
  
  2fb0dfe90cea1e4e04a9a182d97e3bf0
- SHA1
  
  09677305499b920c1916e536e7fcf288f2857276
- SHA256
  
  119baecb4c7b50dfe94cbbee48623c5c7dafb0444f58779442f69219bce3e2d4
- SHA512
  
  66a4d8d11dc803a0470dcc2e95c8de6e4112d0ee66111e173f20d24af4cdd945eeee6f920fa978137638f00736ae5b350cf1908afe374b4cc1335544bd1bbce1
Score

10^/10

locky ransomware persistence
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2