locky | 3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac

General

Target

3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
Size

654KB
MD5

693ef59145aa6b9e329f91538855ef64
SHA1

e3067d7c7227af026c0abfbdf7b417c4e294f380
SHA256

3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac
SHA512

3f0ad7a869823d63d1867f4bf2322e88a909324bab80e7e6d8906237db0aea669326030f16a337980681cfd94c86a955ccb2747ff41be0bf75da112a53693a6b

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\TraceNew.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\HideInvoke.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\WriteMove.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ExitUnregister.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SyncDeny.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1708 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1456 vssvc.exe
Token: SeRestorePrivilege 1456 vssvc.exe
Token: SeAuditPrivilege 1456 vssvc.exe

pid	process
1708	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1456	vssvc.exe
Token: SeRestorePrivilege	1456	vssvc.exe
Token: SeAuditPrivilege	1456	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 556 wrote to memory of 1708	556	taskeng.exe	vssadmin.exe
PID 556 wrote to memory of 1708	556	taskeng.exe	vssadmin.exe
PID 556 wrote to memory of 1708	556	taskeng.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
"C:\Users\Admin\AppData\Local\Temp\3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe"
1⤵
- Modifies extensions of user files
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\taskeng.exe
taskeng.exe {1FD80088-42B7-47CA-B7F0-2322CF0EA43E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
2⤵
- Interacts with shadow copies
PID:1708

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-57-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2024-55-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing