locky | 5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c

General

Target

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
Size

211KB
MD5

a36ce179802137661d4429992fde242b
SHA1

ef461c73b2d0e0eae486c6615750e47f2a496a4a
SHA256

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c
SHA512

3fb6ff43c0dcbdae418d91db7e5d4560c4a39fecf0f62c99e6efa8a37816c3f2da705739104c918bd94c90e7154e54b700f822ffa16fa456f13f7c8e40fe9f78

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

820 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

pid process

1828 5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

pid	process
820	cmd.exe

pid	process
1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp"	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

description	pid	process	target process
PID 1828 set thread context of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "0"	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\TileWallpaper = "0"	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000ef873a168f62569ce363b2bcc0ec34c29d95904b5d7f3ed05c44748f81deb9b6000000000e800000000200002000000083768db7a6d700b4a4e70fb2f4edbeb65f014a5b207f7a866494a84b1b5466b120000000a4d3f94418dee28eea5583a34826c9e793ccc3e64eb888862b0ff3d5f4076f04400000003f5b77714376ca1e913052bf243b95f2cc541b3f5c5f12b1c03e693580dc47a47aa11d31fd79169401c2c4011ed56275373a353a43916243c4bb87cf34c34fea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363203259"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB048AE1-F709-11EC-9A1E-D6AF54037788} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000072bea4fce604d646047a6fcdd52b5dfbc11e2a74e5d58564d7ce920c6dc92afe000000000e80000000020000200000004e5d580d34abcaac04ef74cc589bc11970a15b857a4ea862b4ab9e7b1ed813b190000000ace13ff95a43a902b96e49bead4a63636ae39c4abd3e7ee081fb7869834e14593f34d9435f033cec571d489f0bab9eecbf0cd2488fea0c9e4f99512d5da42a9080db55fa173d35042b6d74fde3ecb8c6ffbb156aa17fee8a3b102470ed3524e402f04105b7cbe152a7a5675833ce45671a7644c3c2e24147453e8ab834c6b4630d89adf9e49b3f05c708628d87a93b1c400000002c118f7205bf8d183be07cf0a9690d81443b201248c917ee3bfe8c87b334c1571cb4ae9aae8389f2d8145bcab44a6fbcedd25e157982f61f55155f08fab01a06	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d8d2d0168bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

pid process

1828 5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1084 iexplore.exe
1736 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1084 iexplore.exe
1084 iexplore.exe
1504 IEXPLORE.EXE
1504 IEXPLORE.EXE

pid	process
1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe

pid	process
1084	iexplore.exe
1736	DllHost.exe

pid	process
1084	iexplore.exe
1084	iexplore.exe
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exeiexplore.exe

description	pid	process	target process
PID 1828 wrote to memory of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
PID 1828 wrote to memory of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
PID 1828 wrote to memory of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
PID 1828 wrote to memory of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
PID 1828 wrote to memory of 1980	1828	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
PID 1980 wrote to memory of 1084	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	iexplore.exe
PID 1980 wrote to memory of 1084	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	iexplore.exe
PID 1980 wrote to memory of 1084	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	iexplore.exe
PID 1980 wrote to memory of 1084	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	iexplore.exe
PID 1084 wrote to memory of 1504	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1504	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1504	1084	iexplore.exe	IEXPLORE.EXE
PID 1084 wrote to memory of 1504	1084	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 820	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	cmd.exe
PID 1980 wrote to memory of 820	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	cmd.exe
PID 1980 wrote to memory of 820	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	cmd.exe
PID 1980 wrote to memory of 820	1980	5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
"C:\Users\Admin\AppData\Local\Temp\5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe
"C:\Users\Admin\AppData\Local\Temp\5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe"
2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1084 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\5c91d98b73496259cc907a4fb562272b1bbaa91e0b1d02a8aa54fbee49e4749c.exe"
3⤵
- Deletes itself
PID:820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JURUNTOW.txt

Filesize
605B

MD5
54b41008324f6e61fdd5756cd57554db

SHA1
630966b6fcc686398b6c16ce54e059464b6b1fd0

SHA256
2d77b30b2a15685025e3875119ef1d7213a5a01218b22d842d08a488bb314296

SHA512
0525637106273aaa579af7de8af7d79235651087a62029e7b965b86d16f6249be318c0b1d233ad204ac63bc22df3f1fb1a25889055261f3ed905d784319ca671

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.bmp

Filesize
3.4MB

MD5
7e3e480dc699b0df26161f166bc572cc

SHA1
d9325a4509f1a17ac4f05f37320d7bbd80812d39

SHA256
e084c6e7d401c5ea337dd1944e827b622179de0174697868ba97a115b09a1d1d

SHA512
42cd9b6e477b9a4cc441b4446b7d19b3536007a6a254c7fc97f534f28f28e7acbab20debd7e4bf7c5395b48c2ab972abba5823d5842a7ec239296e70e38d417f

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.html

Filesize
10KB

MD5
da0fee60eaffb198a1a848e0d5d9e7af

SHA1
4e744b8bc85d8ac70cfff1f718a45b63aaf9fe06

SHA256
103961ceabe194c4d79bcf23a0e6aad51d072fa25128b46ff198e0dc08335da9

SHA512
700a08649444548830aa61819c8209c287063a43503e4c32f836d2553cbf5e45b8d7ee1b483bb1e1b1b4b6caf24ad64f852d5794814b83f04b4e54f4e6125684

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2C60.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
memory/820-64-0x0000000000000000-mapping.dmp

Download
memory/1828-56-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/1828-59-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/1828-54-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1980-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1980-65-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/1980-62-0x0000000000280000-0x00000000002A6000-memory.dmp

Filesize
152KB

Download
memory/1980-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1980-57-0x000000000040560B-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads