locky | b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71

General

Target

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
Size

191KB
MD5

47380d71be72bb4ff55b5e51f8bdc963
SHA1

c9fa6bfaa364a15a1aec3a8645999bd3fe7cd3af
SHA256

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71
SHA512

4b3e4094d8de13dee8f1bcbdc125e91a814fb7a46ce3531326192fad909d6e3b4e912331614bbb302ee18ef0caa14da9f767e554685676b438b89b04d6eb32c8

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

896 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

pid process

912 b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

pid	process
896	cmd.exe

pid	process
912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HOWDO_text.bmp"	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

description	pid	process	target process
PID 912 set thread context of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\WallpaperStyle = "0"	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\TileWallpaper = "0"	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D266B51-F720-11EC-BA7D-66DE0394A5F7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bcc2f22c8bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363212766"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000008c935e71fcda5d5e6ea807cac974ccfc8a8f36bd7585bc9b2354a1d73ccbc540000000000e800000000200002000000024da2860045f32ce790f46f6990e10b4d42c0833bf9544cfb6b71da35a7185f8900000008981724e712ae0f84a0d4be40089e50b8bd078a8c919ecc514aa1dec494ee9a38f668c0e28ff72b688ae981a94b7123cfa2c028788cf5f3ba32c7ccdff176cd718eecca40fb1c6582c7b26e77c9a35343fa8cc5c6cec55dddad029e8772520487381a63dc3e0d345db39b928ec73bb14ae6bae70e1ed10c3704fc574f426fbe34c6b700af31fe832b12dfda646be06da4000000002221a5f675452c9ee2bceaf4c75e9bf16f85f183723f513b977720b728e0e690292acfd875e3f5559d9ee8f40cd0dbbe93980ecc7d66f27e5c7ac41136352a0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000091007eda9b257a0365bc26ec47cf4480b8345b2641487455fe782e0c0191aca2000000000e800000000200002000000004d59f1871bca2983574a56eca6d7f53f1c7cae64a0df11313cf88ffb393f5c92000000024dd92b8d1b43623d7fcff0aa7299862d8d7505d35540013df6d0c88cad2b391400000004700a165c21d979300b66f2bad0ed5933afae28e74ff1d1ac2dc0ba782c66db91de94efbc83a61a5e978d1258a1807e0f2a8d69e2ea277f132b404dd5c02b18a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

pid process

912 b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1876 iexplore.exe
1244 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1876 iexplore.exe
1876 iexplore.exe
360 IEXPLORE.EXE
360 IEXPLORE.EXE

pid	process
912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe

pid	process
1876	iexplore.exe
1244	DllHost.exe

pid	process
1876	iexplore.exe
1876	iexplore.exe
360	IEXPLORE.EXE
360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exeb428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exeiexplore.exe

description	pid	process	target process
PID 912 wrote to memory of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
PID 912 wrote to memory of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
PID 912 wrote to memory of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
PID 912 wrote to memory of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
PID 912 wrote to memory of 800	912	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
PID 800 wrote to memory of 1876	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	iexplore.exe
PID 800 wrote to memory of 1876	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	iexplore.exe
PID 800 wrote to memory of 1876	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	iexplore.exe
PID 800 wrote to memory of 1876	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	iexplore.exe
PID 1876 wrote to memory of 360	1876	iexplore.exe	IEXPLORE.EXE
PID 1876 wrote to memory of 360	1876	iexplore.exe	IEXPLORE.EXE
PID 1876 wrote to memory of 360	1876	iexplore.exe	IEXPLORE.EXE
PID 1876 wrote to memory of 360	1876	iexplore.exe	IEXPLORE.EXE
PID 800 wrote to memory of 896	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	cmd.exe
PID 800 wrote to memory of 896	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	cmd.exe
PID 800 wrote to memory of 896	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	cmd.exe
PID 800 wrote to memory of 896	800	b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
"C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe
  "C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
  2⤵
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HOWDO_text.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:360
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\b428e5d84776ac342681ab069cdcf0585b62868a6407345b508f2c459f870a71.exe"
    3⤵
    - Deletes itself
    PID:896

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V2E26LNA.txt

Filesize
599B

MD5
2456acde24d0f0ff888f7b4eb077550b

SHA1
cf36b204a7ae1041f1eeb07069ba547d6a0c6adc

SHA256
e93e1b85b155ec46f1e53ae40be9d7f8062590db2bf82c122265f6f4fe85f841

SHA512
5f5302e298c238d3bcdd216786b40bb283414fd6d09a9bddd46fbc5d924328444483267f022b71b70aa88642461cf047d3881f4a5f5045822fa0a496f80bdfde

Download Submit
C:\Users\Admin\Desktop\_HOWDO_text.bmp

Filesize
3.5MB

MD5
5712470aac14e46b14679840f9bbaad6

SHA1
701ba35b5186de23695ff4c612e10e7d8985666a

SHA256
feea31824c902d9450208271cdb902a5169a44cf41c9446760c6779d8319001b

SHA512
f11e1a9ae954ef0a72743123954b0dc937adc4a7758bc2a71dcc43c2d39a41ae55777cedf39d41a1cf14031d728322f7a6bcf9cf8b3a497f8542a6580b30a121

Download Submit
C:\Users\Admin\Desktop\_HOWDO_text.html

Filesize
8KB

MD5
844f46a194471b4a01b9bf64579b2388

SHA1
c05d0b6d010e68e258e00e9f55134c4e3fcc338c

SHA256
4b52fc4a44e24c662be4c7a6c44f9a547f9f8d587adad4a8de9719b171c39d56

SHA512
939dc2680a390b964134d61aeef22d925b53691425bb3a75e14f51540e906023f8672ea5562f26fe9d0cc4262f6f9a2d4642e2c86745a1b461220e6d4068a00d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEA52.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
memory/800-57-0x00000000001C560B-mapping.dmp

Download
memory/800-60-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/800-61-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/800-64-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/896-63-0x0000000000000000-mapping.dmp

Download
memory/912-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/912-56-0x00000000006D0000-0x00000000006F7000-memory.dmp

Filesize
156KB

Download
memory/912-59-0x00000000006D0000-0x00000000006F7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads