locky | 75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b

General

Target

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe
Size

250KB
MD5

81e615463fa607f05281a9030289eda5
SHA1

32bf8f36acb355c817bce927640fed08a630c4ea
SHA256

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b
SHA512

a7a5feae3ea7fd0642a30f8a7821e2b57925aad3ed18101a8fb6c72d63e925c59c92ff0dad5cbfdce37d9543ecc0f137a08e4285958dcbb84e6276dcb11372f0

Score

10^/10

locky ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May
suricata: ET MALWARE Ransomware Locky CnC Beacon 21 May
suricata

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp"	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\TileWallpaper = "0"	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\WallpaperStyle = "0"	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000094829a2c6d7443abba5e6d7222fc7e55628d3b3c54784752965d4d02ee93d7f0000000000e8000000002000020000000f6cfd8f2379e48ee0e6c57fa502f4f4bc2d9006d31588734fffb1c753dfeb0f4900000007beab47d6d6828205da2ccc34476528142332335138c80620660f68f5856adb4f7f65a6138abd15b6b01f5110dc72469d8e5a251f51aa02b9efa87e197f602a66575f0c84f35ec07638eb7505254e29b351931efa8340a31755b2f43c1724c938a0ee4270c7a1fd5e84ae3b48335130f90b23ffb569d1f16edd1024c06d02d43b3559c1678d21998db14e582a5803d85400000003deb6b542f7047ee936a48a2bfdfe685f4846bdb8c89cb684068754b81be2d680e61a9b335a73b0d3f428ec562751491e9f01f6f389c9a24c5a1c9557e247af0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363206112"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000818b43de035800c25bf280b136184cdc207a90b189dcf85bdee3faee9323a9e5000000000e8000000002000020000000de4961e8719116fdab7722f5730c78e82456c1d9fdf579a3089bbcb51298eaf320000000ab735ffca97bf5ff94f9cbdd9fe5cb7231c1dea111b8a9925a8b0ed9d6605bed40000000bcb95395729dea44f249f8935db053fc5063f075b57e42d0ab40ca7ceb8c361e95bfe5c4c8456f2b30b713015ce3c937dd2830c0d97517bcc8531045bd46a42d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4015ea741d8bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F1E28B1-F710-11EC-9E63-4659A2147DF1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

552 iexplore.exe
596 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

552 iexplore.exe
552 iexplore.exe
1096 IEXPLORE.EXE
1096 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

pid process

836 75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

pid	process
552	iexplore.exe
596	DllHost.exe

pid	process
552	iexplore.exe
552	iexplore.exe
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE

pid	process
836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exeiexplore.exe

description	pid	process	target process
PID 836 wrote to memory of 552	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	iexplore.exe
PID 836 wrote to memory of 552	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	iexplore.exe
PID 836 wrote to memory of 552	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	iexplore.exe
PID 836 wrote to memory of 552	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	iexplore.exe
PID 552 wrote to memory of 1096	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1096	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1096	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1096	552	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1976	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	cmd.exe
PID 836 wrote to memory of 1976	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	cmd.exe
PID 836 wrote to memory of 1976	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	cmd.exe
PID 836 wrote to memory of 1976	836	75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe
"C:\Users\Admin\AppData\Local\Temp\75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\75bfb147b691410444292af3296dec7e071d07d937acd3ab93fb87d36043470b.exe"
  2⤵
  PID:1976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VI1V80H8.txt

Filesize
604B

MD5
814224b5a97290b26c272cbef84e6231

SHA1
2f62d94da8d74445c2a62b86a8bb5abf575f9c3f

SHA256
b31836e6ea7f4ce692a3b70cb7f679d3c3458f9ad2fdbb14e3c9c7e00f03047b

SHA512
bd3a92f6910178c5bb03c9881b31c53886884237481b4eacaea4ac915f13a0e77494279b503343ead7c6bd8cfcda9f3b05d73416f0b870009384026666d1135a

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.bmp

Filesize
3.4MB

MD5
6905fdcbc2b7ad8ff9de60524e1e58d8

SHA1
49a13445fd4ef4366a45f3c0c5deee256eb0bbfe

SHA256
5c7dc9d796bc8bd184a19ca93f90b74f1bae499d6cded298b5ea8c03005f04d4

SHA512
6bafcb6c25f36c664461b7fda7bbabdca22a4519b550d1955cf58e2edd252db69ae86e9134deb4e63760fafa8ff93757dc7723da0eb6ed4f95f813c83b32cc96

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.html

Filesize
9KB

MD5
a516e194a9b1148e7b1c2c8fb5183354

SHA1
2939fa3f62d101e8bcbe240747b857412b2b2e34

SHA256
02cedcf5cf0a2b4b307f477067453cd0be83cc6e0077852f840e64d60e58e215

SHA512
736e25360afea5f4b2d448ddbb8dd693c7f10b1acdb098b96f1dec21d5604f3b09cc34421952dc2b39a8ef01e64dac31af9a5292f88ff1d16302d2fdd25b52cb

Download Submit
memory/836-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-58-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/836-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-60-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/836-64-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/836-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads