locky | 62a60f11e2c96019ad01d1cbae35dc3b71a1bdac7bfd0a0f207d69487e11374c

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2023 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mars Stealer 8 cracked.exe
Size

9.7MB
MD5

2add5cd2d251750b6edbbcf9c618e2bd
SHA1

a167e4ef8c03e1c6b66fe75a9a61735eafd70cd8
SHA256

62a60f11e2c96019ad01d1cbae35dc3b71a1bdac7bfd0a0f207d69487e11374c
SHA512

ad7d5351de1698a6b60c0eeed13050dbefac2582300a9e4caf692d75b9507e15b2082d562d51df8ea0d79a0150b8de4464b2c92ea33386090dc9865e93133ca8
SSDEEP

196608:J2eeOCr4PpZVzx60Iwx2BbjDRog9AkczZtwc7V4IuSal:J2eZW4PpZVUy2p1z9Ar3wTIuSal

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mars Stealer 8 cracked.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Mars Stealer 8 cracked.exe

Drops startup file 2 IoCs

Processes:

crack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Executes dropped EXE 1 IoCs

Processes:

crack.exe

pid process

3096 crack.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

crack.exe

pid process

3096 crack.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Mars Stealer 8 cracked.exe

pid process

1664 Mars Stealer 8 cracked.exe
1664 Mars Stealer 8 cracked.exe

pid	process
3096	crack.exe

pid	process
3096	crack.exe

pid	process
1664	Mars Stealer 8 cracked.exe
1664	Mars Stealer 8 cracked.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Mars Stealer 8 cracked.exe

description	pid	process	target process
PID 1664 wrote to memory of 3096	1664	Mars Stealer 8 cracked.exe	crack.exe
PID 1664 wrote to memory of 3096	1664	Mars Stealer 8 cracked.exe	crack.exe

C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Mars Stealer 8 cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\re.png
Filesize
545B

MD5
c1cf1874c3305e5663547a48f6ad2d8c

SHA1
0f67f12d76a0543772a3259a3b38935381349e01

SHA256
79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842

SHA512
c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel\www\panel\assets\images\flags\sj.png
Filesize
512B

MD5
559ce5baaee373db8da150a5066c1062

SHA1
ee80e5f63c986d04f46bff10f639113c88107ced

SHA256
f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c

SHA512
c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
memory/3096-828-0x00000000000C0000-0x00000000000CC000-memory.dmp

Filesize
48KB

Download
memory/3096-831-0x000000001C9C0000-0x000000001C9D0000-memory.dmp

Filesize
64KB

Download
memory/3096-832-0x000000001C9C0000-0x000000001C9D0000-memory.dmp

Filesize
64KB

Download