locky | 5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8

Analysis

max time kernel
169s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-07-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe
Size

204KB
MD5

e1a9b6f7285a85e682ebcad028472d13
SHA1

1347b810ac90c13154908f7cf45b11913c182e44
SHA256

5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
SHA512

35e6adb72faba256c94a7abe205ff14752f46c830292905e24605a479d15b6aa6b4ccfcc6d4937dfad8698cfa8da4a4cd68b38ded5c14ed24127f605c6fe6874

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2508	2660	WerFault.exe	5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe
3332	2660	WerFault.exe	5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe

C:\Users\Admin\AppData\Local\Temp\5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe
"C:\Users\Admin\AppData\Local\Temp\5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8.exe"
1⤵
- Checks BIOS information in registry
PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 468
  2⤵
  - Program crash
  PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 476
  2⤵
  - Program crash
  PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2660 -ip 2660
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2660 -ip 2660
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download