Analysis

  • max time kernel
    146s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 04:35

General

  • Target

    2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe

  • Size

    517KB

  • MD5

    f9a17a26036fe111324030e27e891cea

  • SHA1

    bf7cdc42f6ac5985be37819dcd2f5bbfedd582e1

  • SHA256

    d7d0561555b788d2048f7a6904318c44e01a16299bb3177250c4478170d7fa51

  • SHA512

    f0246f51c92334c60ad75fc26bd5fc016f7a8d14d1b55018bd98c9ae1f95cfdc2099d91bdef82a2523890777117be3f2db3c7ce993e04f1a1e48aee70a09868a

  • SSDEEP

    12288:uVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:uVzzzjNO4FkUQ2yL7PtIdGudqlb9dj

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff92b1946f8,0x7ff92b194708,0x7ff92b194718
        3⤵
          PID:4808
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
          3⤵
            PID:4644
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1316
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
            3⤵
              PID:4376
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
              3⤵
                PID:4972
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                3⤵
                  PID:3836
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
                  3⤵
                    PID:2952
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2852
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
                    3⤵
                      PID:8
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                      3⤵
                        PID:4448
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
                        3⤵
                          PID:2232
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                          3⤵
                            PID:4612
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe"
                          2⤵
                            PID:4504
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2192
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4224

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              f53207a5ca2ef5c7e976cbb3cb26d870

                              SHA1

                              49a8cc44f53da77bb3dfb36fc7676ed54675db43

                              SHA256

                              19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

                              SHA512

                              be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              ae54e9db2e89f2c54da8cc0bfcbd26bd

                              SHA1

                              a88af6c673609ecbc51a1a60dfbc8577830d2b5d

                              SHA256

                              5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

                              SHA512

                              e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              6c71a4e730c05433ef03841f3dc9eb25

                              SHA1

                              f249489feb97d5f8e22029de41f0127018af37bc

                              SHA256

                              51a6e926f613489b6e751ca90ab9415e3bade7b8df0900a112ebbf01ff5e3c4e

                              SHA512

                              2d848cb27e6bcac8732911672aad12f25469bfd72c026423c742df50c23173ac1bd31371767791cc6de1542996a6804d37c5f494d0412a2c759dc6788519f558

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              6b60dfecb88f8a2c6ab29d164e8da620

                              SHA1

                              a801fbe50b87257a34ece5a2c8045814dad0cfcb

                              SHA256

                              09c9254081d54bbaecff50e1a97c48c5855516db032e817b06e3eeb8bb02717a

                              SHA512

                              612a27191a8546bf2b89b90124880f1f15ba7f9b1f2d1378c37d4c6e0a102f988aa69192799445de9525a4c7cfc751b3cb65f172323d686b3c946b914d20d7bb

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              77fca16a7425cabeff85a3fa4077aef7

                              SHA1

                              14bac3802bb701242dfd06d91388c2dcf3464389

                              SHA256

                              b68029ae674819cadb28fe3fea6776fe0b3db4d61675bfac47d748df750d542f

                              SHA512

                              44542f5177742e329b216af791e15b2e15a061bbeb27c46471cb0b0a6e9ef14143a0ab5afc20a77a9fc1d82911617587ef2cffe07e0239b34a979c46c96b4c33

                            • C:\lukitus-8cf3.htm

                              Filesize

                              8KB

                              MD5

                              73fe7688651f2a5dd0f66d60d2d8b885

                              SHA1

                              35844712392f8c1d6afc11c75f6bf35af9df3099

                              SHA256

                              68e7dbc2669d8be778474f8a38d711f24af773b726727955b71180351379d478

                              SHA512

                              5d3029ba9b8c7596547d7741c35950d79240cb400ae2ece95b9606250b7b5cbf4114d67d1fc66b259207d86defd9c51bb8969dcd37fd4d64fca4715b4fffbd49