Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 04:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe
-
Size
517KB
-
MD5
f9a17a26036fe111324030e27e891cea
-
SHA1
bf7cdc42f6ac5985be37819dcd2f5bbfedd582e1
-
SHA256
d7d0561555b788d2048f7a6904318c44e01a16299bb3177250c4478170d7fa51
-
SHA512
f0246f51c92334c60ad75fc26bd5fc016f7a8d14d1b55018bd98c9ae1f95cfdc2099d91bdef82a2523890777117be3f2db3c7ce993e04f1a1e48aee70a09868a
-
SSDEEP
12288:uVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:uVzzzjNO4FkUQ2yL7PtIdGudqlb9dj
Malware Config
Signatures
-
Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp" 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\WallpaperStyle = "0" 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\TileWallpaper = "0" 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1316 msedge.exe 1316 msedge.exe 4500 msedge.exe 4500 msedge.exe 2852 identity_helper.exe 2852 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4980 wrote to memory of 4500 4980 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe 93 PID 4980 wrote to memory of 4500 4980 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe 93 PID 4980 wrote to memory of 4504 4980 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe 94 PID 4980 wrote to memory of 4504 4980 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe 94 PID 4980 wrote to memory of 4504 4980 2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe 94 PID 4500 wrote to memory of 4808 4500 msedge.exe 95 PID 4500 wrote to memory of 4808 4500 msedge.exe 95 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 4644 4500 msedge.exe 97 PID 4500 wrote to memory of 1316 4500 msedge.exe 98 PID 4500 wrote to memory of 1316 4500 msedge.exe 98 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99 PID 4500 wrote to memory of 4376 4500 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff92b1946f8,0x7ff92b194708,0x7ff92b1947183⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:23⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:13⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:13⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:83⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:13⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:13⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:13⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16445122743253886346,7811023607842206029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:13⤵PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\2024-05-30_f9a17a26036fe111324030e27e891cea_locky.exe"2⤵PID:4504
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
5KB
MD56c71a4e730c05433ef03841f3dc9eb25
SHA1f249489feb97d5f8e22029de41f0127018af37bc
SHA25651a6e926f613489b6e751ca90ab9415e3bade7b8df0900a112ebbf01ff5e3c4e
SHA5122d848cb27e6bcac8732911672aad12f25469bfd72c026423c742df50c23173ac1bd31371767791cc6de1542996a6804d37c5f494d0412a2c759dc6788519f558
-
Filesize
6KB
MD56b60dfecb88f8a2c6ab29d164e8da620
SHA1a801fbe50b87257a34ece5a2c8045814dad0cfcb
SHA25609c9254081d54bbaecff50e1a97c48c5855516db032e817b06e3eeb8bb02717a
SHA512612a27191a8546bf2b89b90124880f1f15ba7f9b1f2d1378c37d4c6e0a102f988aa69192799445de9525a4c7cfc751b3cb65f172323d686b3c946b914d20d7bb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD577fca16a7425cabeff85a3fa4077aef7
SHA114bac3802bb701242dfd06d91388c2dcf3464389
SHA256b68029ae674819cadb28fe3fea6776fe0b3db4d61675bfac47d748df750d542f
SHA51244542f5177742e329b216af791e15b2e15a061bbeb27c46471cb0b0a6e9ef14143a0ab5afc20a77a9fc1d82911617587ef2cffe07e0239b34a979c46c96b4c33
-
Filesize
8KB
MD573fe7688651f2a5dd0f66d60d2d8b885
SHA135844712392f8c1d6afc11c75f6bf35af9df3099
SHA25668e7dbc2669d8be778474f8a38d711f24af773b726727955b71180351379d478
SHA5125d3029ba9b8c7596547d7741c35950d79240cb400ae2ece95b9606250b7b5cbf4114d67d1fc66b259207d86defd9c51bb8969dcd37fd4d64fca4715b4fffbd49