Analysis
-
max time kernel
11s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 10:28
Static task
static1
Behavioral task
behavioral1
Sample
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe
Resource
win10v2004-20220901-en
General
-
Target
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe
-
Size
607KB
-
MD5
da863294f14ea0c1ab3e68ba6b45f0cf
-
SHA1
c9143d4a1ef5d493660832efef9ff5df52e39a55
-
SHA256
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693
-
SHA512
992504c05a79439bd4a78afa1bcd3162fa10fcd8c5f6988086104dc9035b7bffffe3b06f00a22634b00282b4d6a0685a984c887f731db9e41cc26e1d66a75bcc
-
SSDEEP
12288:f9C97J5k4se/Si1o3lHkvvCuKgwdMsAA:f9s7JLUi1olHuquKgwdvA
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exevssvc.exedescription pid process Token: SeDebugPrivilege 1456 0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe Token: SeTakeOwnershipPrivilege 1456 0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe Token: SeBackupPrivilege 1456 0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe Token: SeRestorePrivilege 1456 0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe Token: SeBackupPrivilege 1112 vssvc.exe Token: SeRestorePrivilege 1112 vssvc.exe Token: SeAuditPrivilege 1112 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe"C:\Users\Admin\AppData\Local\Temp\0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1456-55-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB
-
memory/1456-56-0x0000000000400000-0x000000000049F6A4-memory.dmpFilesize
637KB
-
memory/1456-58-0x0000000000400000-0x000000000049F6A4-memory.dmpFilesize
637KB