Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-02-2024 14:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Locky.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Locky.exe
-
Size
180KB
-
MD5
b06d9dd17c69ed2ae75d9e40b2631b42
-
SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4
-
SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
-
SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
-
SSDEEP
3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score
10/10
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2288 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Locky.exe"C:\Users\Admin\AppData\Local\Temp\Locky.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2288-13-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2288-14-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/3020-0-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/3020-1-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/3020-2-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-4-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-6-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-7-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-11-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-12-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB
-
memory/3020-16-0x0000000000400000-0x00000000007D1000-memory.dmpFilesize
3.8MB