locky | 59e95c1c9dffd0f2b5a5b8a05b7e0f63d2d1582a582b0d11a399b0ca98816f83

General

Target

81ad0943b90b4dedbb6fd76278055c84.exe
Size

1.7MB
MD5

81ad0943b90b4dedbb6fd76278055c84
SHA1

4ba545ae626fcaba16ad4cbd8a0c2417c2b8db6f
SHA256

59e95c1c9dffd0f2b5a5b8a05b7e0f63d2d1582a582b0d11a399b0ca98816f83
SHA512

cacba5f3443da58c02e3cc39ac7a9c18699dc9ad5c0c51b547a5bdcd0a29552acbd5f5ead821d5d9fa2651cc4a38eb442f2dded06bf3217d1bddd682171a2703
SSDEEP

24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaWh/BRg+Z7UDf0cGbiKdT/ZhGdx3rTERdjrb6:kh+ZkldoPK8YaWh/Ybr0j+KdThQbkzu

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Executes dropped EXE 5 IoCs

Processes:

setacl.exesetacl.exesetacl.exesetacl.exesetacl.exe

pid process

2736 setacl.exe
3012 setacl.exe
2760 setacl.exe
2628 setacl.exe
2612 setacl.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2864 cmd.exe

pid	process
2736	setacl.exe
3012	setacl.exe
2760	setacl.exe
2628	setacl.exe
2612	setacl.exe

pid	process
2864	cmd.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

81ad0943b90b4dedbb6fd76278055c84.exe

description	ioc	process
File opened (read-only)	\??\m:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\n:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\p:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\r:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\a:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\b:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\g:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\k:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\t:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\x:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\w:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\o:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\q:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\s:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\v:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\u:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\y:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\z:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\e:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\i:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\j:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\l:	81ad0943b90b4dedbb6fd76278055c84.exe
File opened (read-only)	\??\h:	81ad0943b90b4dedbb6fd76278055c84.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

81ad0943b90b4dedbb6fd76278055c84.exe

pid process

1204 81ad0943b90b4dedbb6fd76278055c84.exe

pid	process
1204	81ad0943b90b4dedbb6fd76278055c84.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

setacl.exesetacl.exesetacl.exesetacl.exesetacl.exe

description	pid	process
Token: SeBackupPrivilege	2736	setacl.exe
Token: SeRestorePrivilege	2736	setacl.exe
Token: SeTakeOwnershipPrivilege	2736	setacl.exe
Token: SeBackupPrivilege	3012	setacl.exe
Token: SeRestorePrivilege	3012	setacl.exe
Token: SeTakeOwnershipPrivilege	3012	setacl.exe
Token: SeBackupPrivilege	2760	setacl.exe
Token: SeRestorePrivilege	2760	setacl.exe
Token: SeTakeOwnershipPrivilege	2760	setacl.exe
Token: SeBackupPrivilege	2628	setacl.exe
Token: SeRestorePrivilege	2628	setacl.exe
Token: SeTakeOwnershipPrivilege	2628	setacl.exe
Token: SeBackupPrivilege	2612	setacl.exe
Token: SeRestorePrivilege	2612	setacl.exe
Token: SeTakeOwnershipPrivilege	2612	setacl.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

81ad0943b90b4dedbb6fd76278055c84.execmd.exenet.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 3004	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 3004	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 3004	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 3004	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 3004 wrote to memory of 2172	3004	cmd.exe	net.exe
PID 3004 wrote to memory of 2172	3004	cmd.exe	net.exe
PID 3004 wrote to memory of 2172	3004	cmd.exe	net.exe
PID 3004 wrote to memory of 2172	3004	cmd.exe	net.exe
PID 2172 wrote to memory of 2720	2172	net.exe	net1.exe
PID 2172 wrote to memory of 2720	2172	net.exe	net1.exe
PID 2172 wrote to memory of 2720	2172	net.exe	net1.exe
PID 2172 wrote to memory of 2720	2172	net.exe	net1.exe
PID 1204 wrote to memory of 2864	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2864	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2864	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2864	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	setacl.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	setacl.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	setacl.exe
PID 2864 wrote to memory of 2736	2864	cmd.exe	setacl.exe
PID 1204 wrote to memory of 2588	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2588	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2588	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2588	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 2588 wrote to memory of 3012	2588	cmd.exe	setacl.exe
PID 2588 wrote to memory of 3012	2588	cmd.exe	setacl.exe
PID 2588 wrote to memory of 3012	2588	cmd.exe	setacl.exe
PID 2588 wrote to memory of 3012	2588	cmd.exe	setacl.exe
PID 1204 wrote to memory of 2332	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2332	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2332	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2332	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 2332 wrote to memory of 2760	2332	cmd.exe	setacl.exe
PID 2332 wrote to memory of 2760	2332	cmd.exe	setacl.exe
PID 2332 wrote to memory of 2760	2332	cmd.exe	setacl.exe
PID 2332 wrote to memory of 2760	2332	cmd.exe	setacl.exe
PID 1204 wrote to memory of 2716	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2716	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2716	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2716	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 2716 wrote to memory of 2628	2716	cmd.exe	setacl.exe
PID 2716 wrote to memory of 2628	2716	cmd.exe	setacl.exe
PID 2716 wrote to memory of 2628	2716	cmd.exe	setacl.exe
PID 2716 wrote to memory of 2628	2716	cmd.exe	setacl.exe
PID 1204 wrote to memory of 2576	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2576	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2576	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 1204 wrote to memory of 2576	1204	81ad0943b90b4dedbb6fd76278055c84.exe	cmd.exe
PID 2576 wrote to memory of 2612	2576	cmd.exe	setacl.exe
PID 2576 wrote to memory of 2612	2576	cmd.exe	setacl.exe
PID 2576 wrote to memory of 2612	2576	cmd.exe	setacl.exe
PID 2576 wrote to memory of 2612	2576	cmd.exe	setacl.exe

C:\Users\Admin\AppData\Local\Temp\81ad0943b90b4dedbb6fd76278055c84.exe
"C:\Users\Admin\AppData\Local\Temp\81ad0943b90b4dedbb6fd76278055c84.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\net.exe
net localgroup
3⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Locky" -ot reg -actn ace -ace "n:VTILVGXH\Admin;p:read;m:deny" -ace "n:VTILVGXH\Admin;p:full;m:deny"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\Temp\setacl.exe
C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Locky" -ot reg -actn ace -ace "n:VTILVGXH\Admin;p:read;m:deny" -ace "n:VTILVGXH\Admin;p:full;m:deny"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:restricted;p:read;m:deny" -ace "n:restricted;p:full;m:deny"
2⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Temp\setacl.exe
C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:restricted;p:read;m:deny" -ace "n:restricted;p:full;m:deny"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:administrateurs;p:read;m:deny" -ace "n:administrateurs;p:full;m:deny"
2⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Temp\setacl.exe
C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:administrateurs;p:read;m:deny" -ace "n:administrateurs;p:full;m:deny"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:système;p:read;m:deny" -ace "n:système;p:full;m:deny"
2⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Temp\setacl.exe
C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:système;p:read;m:deny" -ace "n:système;p:full;m:deny"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:system;p:read;m:deny" -ace "n:system;p:full;m:deny"
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Temp\setacl.exe
C:\Temp\setacl.exe -on "HKEY_USERS\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Locky" -ot reg -actn ace -ace "n:system;p:read;m:deny" -ace "n:system;p:full;m:deny"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Temp\setacl.exe
Filesize
546KB

MD5
3e350eb5df15c06dec400a39dd1c6f29

SHA1
f1434cfef2c05fda919922b721ec1a17adb3194e

SHA256
427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

SHA512
b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads