Overview

overview

10

Static

static

3

2024-05-30...ky.exe

windows7-x64

10

2024-05-30...ky.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-30_7619daf0a58c873caa3790bc66f84204_locky.exe

  • Size

    517KB

  • MD5

    7619daf0a58c873caa3790bc66f84204

  • SHA1

    1feb1683d1b149601d2036b41ed36fd9c9d88f6d

  • SHA256

    ce91d20c7f9e548ba5cf56e84cf8e535566bdaf6dd319d948988e3246d7f6644

  • SHA512

    2326dbe762b73cd83bbf0e8964ae9d7836686b5127b4d7d2064936ca81f2906d58e645b3928801b50ae3a86167a131a8b90d5d9c2ef8e0871bf150fcf4995508

  • SSDEEP

    12288:uVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:uVzzzjNO4FkUQ2yL7PtIdGudqlb9dj

Score
10/10
locky_lukitusransomware

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

    ransomwarelocky_lukitus
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-30_7619daf0a58c873caa3790bc66f84204_locky.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-30_7619daf0a58c873caa3790bc66f84204_locky.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa547346f8,0x7ffa54734708,0x7ffa54734718
        3⤵
          PID:1844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
          3⤵
            PID:228
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4916
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
            3⤵
              PID:2708
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              3⤵
                PID:3940
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                3⤵
                  PID:2192
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                  3⤵
                    PID:1408
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2508
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                    3⤵
                      PID:3604
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                      3⤵
                        PID:4912
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                        3⤵
                          PID:1972
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,2465925049240894683,53828717305122409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                          3⤵
                            PID:3332
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\2024-05-30_7619daf0a58c873caa3790bc66f84204_locky.exe"
                          2⤵
                            PID:1700
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3960
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2316

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              ecdc2754d7d2ae862272153aa9b9ca6e

                              SHA1

                              c19bed1c6e1c998b9fa93298639ad7961339147d

                              SHA256

                              a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

                              SHA512

                              cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              2daa93382bba07cbc40af372d30ec576

                              SHA1

                              c5e709dc3e2e4df2ff841fbde3e30170e7428a94

                              SHA256

                              1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

                              SHA512

                              65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              fc4acfb856b1b82184ae561f9a77e32b

                              SHA1

                              f5f51a69618440ca1801762ea0d143b282e8cfdf

                              SHA256

                              a58587a926b173fb1d39aaa0b47457bf8aeb9dad6b934402faf5296827d29ed3

                              SHA512

                              e892c23bc2a53199b041db1fbfc10a9a2248cb11d2836b01dd5ba6b44f4c94e8c032db122a6ecf86651bd1b5040cbde651fa4ea64c0a1bb7ac24415b5977db39

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              9adb3a88f1a0875f5714e9db42a1536a

                              SHA1

                              c5ede90d13ae47a0c3fe543be243be06d8646847

                              SHA256

                              2d4da3af5ce603b79f8a64eb6da0000d0482304b55130561277cf70cc5eb95bb

                              SHA512

                              8ed05d2958357e49c36d4fedb78cf28499dd5ea4bb42d1cd00be9429a0c3fb542e24387820abc724579f30bd65825ac3c258932d995260844a0b8227af3b2404

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              33d48029c021dfd90394bb2573448b9a

                              SHA1

                              de0e820862343056308f24c6d5f854dcf1b88fa0

                              SHA256

                              c12cb0687b9e6d81b31195d70338b291d470d792890bca84dae384377b228593

                              SHA512

                              465b9aefa1dac6f53d50dec3679a3673515489c64baa7938b209d99650121ccc22596557c5d915bec66ad893e29c7dbaeaf926bdb76087fe5be1e3f4466bfa7f

                              Download Submit

                            • C:\Users\Admin\Music\lukitus-f624.htm
                              Filesize

                              8KB

                              MD5

                              4a1511b76836ea201e1568a3f99d2b22

                              SHA1

                              e8c2bfd5581574d2f4ae52ef636a59ec4a0cfd6b

                              SHA256

                              a278cd555e5efe10e49fc62404401b6f75d99d6143819b2ccfce1e324dc2daac

                              SHA512

                              7ed1eb853088dca9e9144069d890ce344f0397d269a7e2376ccc1491c779250690ac1433ac9b9c27e5924b7338a514fc82c7d191102d2e1938a3fa47b0fa53f7

                              Download Submit