locky | bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

Resubmissions

05-08-2024 22:23

240805-2ba2rathle 10

27-04-2024 00:38

240427-ay3xhafc53 10

20-04-2024 05:28

240420-f6ht7aad5w 10

Analysis

max time kernel
1793s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Locky.exe
Size

180KB
MD5

b06d9dd17c69ed2ae75d9e40b2631b42
SHA1

b606aaa402bfe4a15ef80165e964d384f25564e4
SHA256

bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
SHA512

8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
SSDEEP

3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid	Process
2156	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid	Process
1140	msedge.exe
1140	msedge.exe
3564	msedge.exe
3564	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid	Process
2156	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid	Process
3564	msedge.exe
3564	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeManageVolumePrivilege	1824	svchost.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exevlc.exe

pid	Process
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
2156	vlc.exe
2156	vlc.exe
2156	vlc.exe
2156	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exevlc.exe

pid	Process
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
3564	msedge.exe
2156	vlc.exe
2156	vlc.exe
2156	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid	Process
2156	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3564 wrote to memory of 1752	3564	msedge.exe	138
PID 3564 wrote to memory of 1752	3564	msedge.exe	138
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 3228	3564	msedge.exe	139
PID 3564 wrote to memory of 1140	3564	msedge.exe	140
PID 3564 wrote to memory of 1140	3564	msedge.exe	140
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141
PID 3564 wrote to memory of 3712	3564	msedge.exe	141

C:\Users\Admin\AppData\Local\Temp\Locky.exe
"C:\Users\Admin\AppData\Local\Temp\Locky.exe"
1⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitReset.bat" "
1⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitReset.bat" "
1⤵
PID:3004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x314
1⤵
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitReset.bat" "
1⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SplitReset.bat" "
1⤵
PID:4364

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StartOpen.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe7ed746f8,0x7ffe7ed74708,0x7ffe7ed74718
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,8575883223585370715,1837590515559725867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,8575883223585370715,1837590515559725867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,8575883223585370715,1837590515559725867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,8575883223585370715,1837590515559725867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,8575883223585370715,1837590515559725867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InstallRemove.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a1f52751adc82f8c5f5e091bffc261e

SHA1
5462a2e66b13bd5c7d5f9dc9506474a87896c950

SHA256
470c07658221b94dc39281f0ae8d276fc32e52ccddb78c4f7ceed8cd9481cc2c

SHA512
ac27c22e36ab43bcc24e6b23201f7fd90135a71567d7b1aebb1f6f66d3df6b8d3fffa6237fb894aac33a7bfa4c508f829895e62b6e5d1b59752b820719ef5ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d8136bf378ed21fca518a8db76abc24

SHA1
6bbeebf00b920b67de8b90bd4d596d7d0ccdaed3

SHA256
e469c005ed50964f2269946530e3a95e63b01b9e045939b08e6aeea2df9893c3

SHA512
0f3890dba49af488307d1263b66e42772b4ac357a52e3d330a63b3701919060cc8c444744cbd7fd63d1a303bc93686d4e5a4e88ad8aef0d310d25fcbe65d670a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
062671aac6956346e764f98ff8447084

SHA1
5a7f7833448a56acf25dff12e4f3bf28225786c7

SHA256
2ec0851856c3af2d8b8d345ca650765385eb7f691e27d9acb41da5fe29de90ea

SHA512
236ad7c9d0078daf1261a225bb2cc756ef0b68b7cb07b9794eafe9fc562b713390b7f3fbfb20e8a4756f5f3f709b039bfc037b6ae64eb426db256eb3c614ce6d

Download Submit
\??\pipe\LOCAL\crashpad_3564_FMGDRZFIBZYGJARN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1212-23-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-27-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-13-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-14-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-16-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-18-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-20-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-22-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-0-0x0000000000A40000-0x0000000000A44000-memory.dmp

Filesize
16KB

Download
memory/1212-24-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-26-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-11-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-29-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-1-0x0000000000A40000-0x0000000000A44000-memory.dmp

Filesize
16KB

Download
memory/1212-2-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-4-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-10-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-7-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1212-6-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1824-66-0x00000192BD780000-0x00000192BD781000-memory.dmp

Filesize
4KB

Download
memory/1824-50-0x00000192B5440000-0x00000192B5450000-memory.dmp

Filesize
64KB

Download
memory/1824-34-0x00000192B5340000-0x00000192B5350000-memory.dmp

Filesize
64KB

Download