locky | 5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78

Analysis

max time kernel
169s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-07-2022 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe
Size

604KB
MD5

29649c968550c8e97565e81dcce5b81a
SHA1

a08c1bf3c9a73492ad27d793efa057f5582703ac
SHA256

5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78
SHA512

87f09ffc9ebfe5e890e11445a8b856ad3521e2b021da9548e8594b85adb3b99c307224ca4e466f9057a92ead34eb8dceaa2556145676958af1233b6b174eb29f

Score

10^/10

locky persistence ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opt321 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe"	5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe

description	pid	process
Token: SeDebugPrivilege	5064	5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe
Token: SeTakeOwnershipPrivilege	5064	5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe
Token: SeBackupPrivilege	5064	5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe
Token: SeRestorePrivilege	5064	5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe

C:\Users\Admin\AppData\Local\Temp\5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe
"C:\Users\Admin\AppData\Local\Temp\5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5064-131-0x0000000000400000-0x000000000049DAA4-memory.dmp

Filesize
630KB

Download
memory/5064-130-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5064-133-0x0000000000400000-0x000000000049DAA4-memory.dmp

Filesize
630KB

Download
memory/5064-134-0x0000000000400000-0x000000000049DAA4-memory.dmp

Filesize
630KB

Download