locky | 630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006

General

Target

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
Size

173KB
MD5

a8b2040f48ba52cab49117636185bdcb
SHA1

084fd006c562cd0a6114018208948f8bfcd0a465
SHA256

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006
SHA512

142d2d128494abf36f6d97590f6ec8881c7ddde559644b5281f8e65582550937192b2499c905285d2c4d0fc65b6e326cf781d917d688fa5e06ecfbdb7a8693df

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1160 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

pid process

784 630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

pid	process
1160	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HELP_instructions.bmp"	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

description	pid	process	target process
PID 784 set thread context of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\WallpaperStyle = "0"	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\TileWallpaper = "0"	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3051d561648bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363236573"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B11E541-F757-11EC-93AC-6280490416C4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000037e83172deb64678910ee3a7ff06c81af98f54cfdad2b010c71627eb103b765e000000000e800000000200002000000059e484fc6c98402dccebf9ca0deba2ee4ec38c7e3f980f18425df6c58f30ac8b20000000dfe1580cb5527e25a4a914c105b4e7fc5f9de151f39e1e8db1279cbebcaf1d72400000000dc086af0a3211c80cbeacb8b072f21218b9a157910770855c404b53648efeb02b037a630d08ec9ffceedad3f3ae43f2cfd9f24d37929549e88938eba0cda97d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000bb8ec29fbc1c98b0dd5caebd877898d3dbafdd2fdcf49789103b9abf692e1aa2000000000e800000000200002000000070b92a255528d1002e074938edcd6c1b4e65cdee41105113a2c554cac6f45fcb900000001e0190c2c20930cd956da02877b7099d3440d1c65f770c70a148ddf0dff102419f72fb81eebadbecfb72ab937c4638821ea1ceb0126bb2cf81c2091cd82aa6e75a90d817efadcc9e1c947892f4fec852b3064f28f9262e0c204423c12760070521b1f59e31fd13450212190d3ef5271ddb32a5d26c6036e00a40ac1cdd093960e82eecf487dad1df48cdebd29e274f1a40000000dc8e1aa19863168de57d7206308caa8713e7db75ddc02360722030d9e79e928022672a3b53375cd8e749957523b7620e3acbae40890117a1dcecdabb0445e242	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

pid	process
784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe

pid process

784 630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1180 iexplore.exe
1108 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1180 iexplore.exe
1180 iexplore.exe
664 IEXPLORE.EXE
664 IEXPLORE.EXE

pid	process
1180	iexplore.exe
1108	DllHost.exe

pid	process
1180	iexplore.exe
1180	iexplore.exe
664	IEXPLORE.EXE
664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exeiexplore.exe

description	pid	process	target process
PID 784 wrote to memory of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
PID 784 wrote to memory of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
PID 784 wrote to memory of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
PID 784 wrote to memory of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
PID 784 wrote to memory of 2020	784	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
PID 2020 wrote to memory of 1180	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	iexplore.exe
PID 2020 wrote to memory of 1180	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	iexplore.exe
PID 2020 wrote to memory of 1180	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	iexplore.exe
PID 2020 wrote to memory of 1180	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	iexplore.exe
PID 2020 wrote to memory of 1160	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	cmd.exe
PID 2020 wrote to memory of 1160	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	cmd.exe
PID 2020 wrote to memory of 1160	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	cmd.exe
PID 2020 wrote to memory of 1160	2020	630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe	cmd.exe
PID 1180 wrote to memory of 664	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 664	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 664	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 664	1180	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
"C:\Users\Admin\AppData\Local\Temp\630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe
"C:\Users\Admin\AppData\Local\Temp\630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe"
2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_HELP_instructions.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\630501913e1797d2dd91c3441bfac4e0b9e5340a0c3fab018ac3d98136a14006.exe"
3⤵
- Deletes itself
PID:1160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MKSBXNE5.txt
Filesize
608B

MD5
59fe1a660f31a164d12988bf0bfb31f1

SHA1
5a63305fd8446224697f3504ec812a2437fbded6

SHA256
35fe23e9cd03ccef248568dbd7d3ae89de986f652a4bc8047f878bc2122a6cfc

SHA512
0f0c0f2145d05fd9f7b697246cd27c9e9330650d17d50641729ed3b94270fc8da208f910389f9e4ca9514e2a90ab5d574726b7b2a5d110d39790e87daf0ca0d3

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.bmp
Filesize
3.3MB

MD5
9d3616d1aed91f10aadbbc89d7ea3c54

SHA1
5c3ebf9369876663068f17e89020c5b85c7a609c

SHA256
836bfdf4041881703c0b6849788a800629ec9ad856d5f27229a2b181c3a9c42e

SHA512
86d5ec65e0bd96bbaa61a746890eb51947044573a02daa15ef2d870c380fac9dceb898831cc0f5a69c97383929165a8b269c4cca2606caac19a833af6646a6b1

Download Submit
C:\Users\Admin\Desktop\_HELP_instructions.html
Filesize
9KB

MD5
3311ea81a6e152e291b5daec5c9dfcde

SHA1
7187032bfd850895d791a46c8008629722ea3477

SHA256
f26a441560809f7d1b4dbc2e84f79917eeeafe60c32ffe8febc09c98e5082943

SHA512
04dc39df774c229d3b01b4fa7c675fa0196629c612e0ca00994b628334322d992b37bf561c6828cb6597082c3eaca28186b3028629e800004b0247119bce8cfa

Download Submit
\Users\Admin\AppData\Local\Temp\nso2271.tmp\System.dll
Filesize
11KB

MD5
fc3772787eb239ef4d0399680dcc4343

SHA1
db2fa99ec967178cd8057a14a428a8439a961a73

SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

Download Submit
memory/784-56-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/784-59-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/784-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1160-64-0x0000000000000000-mapping.dmp

Download
memory/2020-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-65-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2020-62-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2020-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-57-0x000000000040560B-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads