locky | d0431537537c9c73f5a1b90b46b560cac4be82feb5ac14d47163a9f4b4fa1a41

General

Target

56y4g45gh45h.exe
Size

91KB
MD5

91d8ab08a37f9c26a743380677aa200d
SHA1

e64e4617c8bdb5c6c3ae30e73d8211400651c8ba
SHA256

d0431537537c9c73f5a1b90b46b560cac4be82feb5ac14d47163a9f4b4fa1a41
SHA512

72d9ef9e26afa70ffe797a79fe3840e6b45d8e4ce863e4ea4eeda5b990f1e692c859addad49fdf7dfb41ad737cee88892caede348bdee13dc98fa5f8f57f7864
SSDEEP

1536:lf0kZhST9p9VTME6Pd+u7RVvGlhRuqeyyD+bNaI+/x8SHO532QhqyIucYqRbwKGc:lflhk9VwZP7RxUKXy/Z8x8oAsucZtz

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2780 svchost.exe
4864 svchost.exe

pid	process
2780	svchost.exe
4864	svchost.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4484	3232	WerFault.exe	56y4g45gh45h.exe
4500	3232	WerFault.exe	56y4g45gh45h.exe
3980	3232	WerFault.exe	56y4g45gh45h.exe
900	3232	WerFault.exe	56y4g45gh45h.exe
4420	1680	WerFault.exe	56y4g45gh45h.exe
4664	1680	WerFault.exe	56y4g45gh45h.exe
4692	1680	WerFault.exe	56y4g45gh45h.exe
2100	1680	WerFault.exe	56y4g45gh45h.exe
2872	3160	WerFault.exe	56y4g45gh45h.exe
2236	3160	WerFault.exe	56y4g45gh45h.exe
1008	3160	WerFault.exe	56y4g45gh45h.exe
2724	3160	WerFault.exe	56y4g45gh45h.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

svchost.exe7zFM.exe

description	pid	process
Token: SeBackupPrivilege	2444	svchost.exe
Token: SeRestorePrivilege	2444	svchost.exe
Token: SeSecurityPrivilege	2444	svchost.exe
Token: SeTakeOwnershipPrivilege	2444	svchost.exe
Token: 35	2444	svchost.exe
Token: SeRestorePrivilege	3572	7zFM.exe
Token: 35	3572	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zFM.exe

pid process

3572 7zFM.exe

pid	process
3572	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

56y4g45gh45h.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 2780	3232	56y4g45gh45h.exe	svchost.exe
PID 3232 wrote to memory of 2780	3232	56y4g45gh45h.exe	svchost.exe
PID 3232 wrote to memory of 2780	3232	56y4g45gh45h.exe	svchost.exe
PID 2744 wrote to memory of 3160	2744	cmd.exe	56y4g45gh45h.exe
PID 2744 wrote to memory of 3160	2744	cmd.exe	56y4g45gh45h.exe
PID 2744 wrote to memory of 3160	2744	cmd.exe	56y4g45gh45h.exe

C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe
"C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 440
2⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 484
2⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 492
2⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 496
2⤵
- Program crash
PID:900

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3232 -ip 3232
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3232 -ip 3232
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3232 -ip 3232
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
1⤵
PID:1868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe
"C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe"
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 440
2⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 480
2⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 488
2⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 516
2⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1680 -ip 1680
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1680 -ip 1680
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1680 -ip 1680
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1680 -ip 1680
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe
C:\Users\Admin\AppData\Local\Temp\56y4g45gh45h.exe
2⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 408
3⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 432
3⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 440
3⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 416
3⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3160 -ip 3160
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3160 -ip 3160
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3160 -ip 3160
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Executes dropped EXE
PID:4864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
93KB

MD5
4e4a8812b80c8542a3095a53c29f5441

SHA1
6218bd4eba6d91007d8b8c32a040194ec123f5b6

SHA256
2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db

SHA512
5bfd0bb53db5e4c6abe8dbed61a14244e107061bd29319a30e6dc8ee1c87f9d88ead7c843494a0b927d32efbf95e9510eb4d67df6bc3f4c849c80798523a071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
93KB

MD5
4e4a8812b80c8542a3095a53c29f5441

SHA1
6218bd4eba6d91007d8b8c32a040194ec123f5b6

SHA256
2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db

SHA512
5bfd0bb53db5e4c6abe8dbed61a14244e107061bd29319a30e6dc8ee1c87f9d88ead7c843494a0b927d32efbf95e9510eb4d67df6bc3f4c849c80798523a071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
93KB

MD5
4e4a8812b80c8542a3095a53c29f5441

SHA1
6218bd4eba6d91007d8b8c32a040194ec123f5b6

SHA256
2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db

SHA512
5bfd0bb53db5e4c6abe8dbed61a14244e107061bd29319a30e6dc8ee1c87f9d88ead7c843494a0b927d32efbf95e9510eb4d67df6bc3f4c849c80798523a071b

Download Submit
memory/1680-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3232-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3232-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads