locky | 3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac

Analysis

max time kernel
149s
max time network
89s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
Size

654KB
MD5

693ef59145aa6b9e329f91538855ef64
SHA1

e3067d7c7227af026c0abfbdf7b417c4e294f380
SHA256

3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac
SHA512

3f0ad7a869823d63d1867f4bf2322e88a909324bab80e7e6d8906237db0aea669326030f16a337980681cfd94c86a955ccb2747ff41be0bf75da112a53693a6b

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\TraceNew.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\HideInvoke.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\WriteMove.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ExitUnregister.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SyncDeny.tiff	3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1708	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1456	vssvc.exe
Token: SeRestorePrivilege	1456	vssvc.exe
Token: SeAuditPrivilege	1456	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1708	556	taskeng.exe	30
PID 556 wrote to memory of 1708	556	taskeng.exe	30
PID 556 wrote to memory of 1708	556	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe
"C:\Users\Admin\AppData\Local\Temp\3a810cbad7296f83122c4a16b935a723d8019419069a55c939d93c246abed2ac.exe"
1⤵
- Modifies extensions of user files
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\taskeng.exe
taskeng.exe {1FD80088-42B7-47CA-B7F0-2322CF0EA43E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
  2⤵
  - Interacts with shadow copies
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact