malware[.]zip | Triage

General

Target

malware.zip
Size

121KB
MD5

abaf4783b0757ec06b31251e980a1eaa
SHA1

40b6f277c5d8c50d5e8007b498a92c2ff73b8029
SHA256

98e0c1e5d2e8e25ff99029d2f76a45a1b320c8cf3349df45d02dcd4070c0f49f
SHA512

74933dfa0a0cc46a40a71efdf30e57848d1130cbf00b44bd77bd58458d671d03916b1432bb2b062f9d076390283da7f89e4680fd7c32ea6f60be0533e6bd42b8
SSDEEP

3072:+iRgX3TJXl/CvZmnm/S0kXIj4rq5rbSC4bpsFUUR28VfS:PWX3TJXsom/SVSGqvhc8tS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/locky sample/document_copy_payload.exe

Files

malware.zip
.zip

Password: infected
locky sample/document_copy.js
.js
locky sample/document_copy_payload.exe
.exe windows:3 windows x86 arch:x86

6c7a689fe4b26f0ecb3b07b4c974cb0b

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetWindowsDirectoryA
_lopen
LoadLibraryW
GetACP
GetOEMCP
GetACP
GetACP
GetLastError
Beep
_lread

dsauth

DhcpDsGetRoot
DhcpDsDelServer

imm32

ImmActivateLayout
ImmAssociateContext
ImmAssociateContextEx
ImmCallImeConsoleIME
ImmConfigureIMEA
ImmConfigureIMEW
ImmCreateContext
ImmCreateSoftKeyboard
ImmDestroyContext
ImmDestroySoftKeyboard
ImmDisableIME
ImmDisableIme
ImmDisableTextFrameService
ImmEnumInputContext
ImmEnumRegisterWordA
ImmEnumRegisterWordW
ImmGenerateMessage
ImmGetAppCompatFlags
ImmGetCandidateListA
ImmGetCandidateListCountA
ImmGetCandidateListCountW
ImmGetCandidateListW
ImmGetCandidateWindow
ImmGetCompositionFontA
ImmGetCompositionFontW
ImmGetCompositionStringA
ImmGetCompositionStringW
ImmGetCompositionWindow
ImmGetConversionListA
ImmGetConversionListW
ImmGetConversionStatus
ImmGetDefaultIMEWnd
ImmGetDescriptionA
ImmGetDescriptionW

winhttp

WinHttpCreateUrl
WinHttpCreateUrl
WinHttpCreateUrl
WinHttpCreateUrl
WinHttpCreateUrl
WinHttpCreateUrl
WinHttpCreateUrl

Sections

1rya
Size: 2KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

spnngd
Size: 5KB - Virtual size: 97KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ju121
Size: 140KB - Virtual size: 139KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
sample2/invoice.js
.js

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

6c7a689fe4b26f0ecb3b07b4c974cb0b

Headers

File Characteristics

Imports

kernel32

dsauth

imm32

winhttp

Sections

1rya Size: 2KB - Virtual size: 9KB

spnngd Size: 5KB - Virtual size: 97KB

ju121 Size: 140KB - Virtual size: 139KB

1rya
Size: 2KB - Virtual size: 9KB

spnngd
Size: 5KB - Virtual size: 97KB

ju121
Size: 140KB - Virtual size: 139KB