File name: | lockyRansomware.bin |
Full analysis: | https://app.any.run/tasks/38b57b69-6815-4ffe-8522-896ec4a32a09 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 17:15:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 67E0107CB365D9360C707C260D3ACFA9 |
SHA1: | D58A690203881B682446D431177EA86F87CEEF27 |
SHA256: | 4C054127056FB400ACBAB7825AA2754942121E6C49B0F82AE20E65422ABDEE4F |
SSDEEP: | 12288:LN2Rwpfr+foKIQG5IYBoOltIG5epfJ3p4zON:J2RwRQkHzIG5e5s6N |
.exe | | | Win32 Executable MS Visual C++ (generic) (64.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (13.5) |
.exe | | | Win32 Executable (generic) (9.3) |
.exe | | | Win16/32 Executable Delphi generic (4.2) |
.exe | | | Generic Win/DOS Executable (4.1) |
VarFileInfo: | - |
---|---|
Tag040904B0: | - |
TechSupport: | http://www.3ware.com |
ProductVersion: | SRV 1.03.00.001 |
ProductName: | 3ware Storage Controller |
LegalCopyright: | Copyright © 2000 by 3ware, Inc. |
InternalName: | 3wareSrv |
FileVersion: | SRV 1.03.00.001 |
FileDescription: | 3ware Driver Service |
CompanyName: | 3ware, Inc. |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | 7 |
ObjectFileType: | Driver |
FileOS: | Windows NT |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.3.0.1 |
FileVersionNumber: | 1.3.0.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x3222 |
UninitializedDataSize: | - |
InitializedDataSize: | 593408 |
CodeSize: | 77824 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2016:03:30 02:00:03+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Mar-2016 00:00:03 |
Detected languages: |
|
CompanyName: | 3ware, Inc. |
FileDescription: | 3ware Driver Service |
FileVersion: | SRV 1.03.00.001 |
InternalName: | 3wareSrv |
LegalCopyright: | Copyright © 2000 by 3ware, Inc. |
ProductName: | 3ware Storage Controller |
ProductVersion: | SRV 1.03.00.001 |
TechSupport: | http://www.3ware.com |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 30-Mar-2016 00:00:03 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00013000 | 0x00012200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.33432 |
.data | 0x00014000 | 0x000234AC | 0x00023600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.5826 |
.rdata | 0x00038000 | 0x000272A0 | 0x00027400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.60232 |
.pdata | 0x00060000 | 0x00042040 | 0x0003DE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.41053 |
.idata | 0x000A3000 | 0x0000337C | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.44436 |
.rsrc | 0x000A7000 | 0x00000D4C | 0x00000E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.11947 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.41978 | 1412 | UNKNOWN | English - United States | RT_VERSION |
2 | 2.57313 | 296 | UNKNOWN | English - United States | RT_ICON |
IDI_3WARE | 2.37086 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
WINMM.dll |
WINSPOOL.DRV |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2800 | "C:\Users\admin\AppData\Local\Temp\lockyRansomware.bin.exe" | C:\Users\admin\AppData\Local\Temp\lockyRansomware.bin.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
696 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\asasin.htm | C:\Program Files\Internet Explorer\iexplore.exe | — | lockyRansomware.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
4060 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2516 | cmd.exe /C del /Q /F "C:\Users\admin\AppData\Local\Temp\lockyRansomware.bin.exe" | C:\Windows\system32\cmd.exe | — | lockyRansomware.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2716 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:696 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2800 | lockyRansomware.bin.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | binary | |
MD5:4C8E8B071BADDA696D58FAC1C5A1B9C2 | SHA256:A3350CCB32765A97061E16133ECC91C7F32AA8E6123CDC99D15590A629980CC8 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst | binary | |
MD5:B3B1BF9998353863E54800E7725DC66A | SHA256:43812B0911FA084478C25EAD8D0085EA3763AD7EF7DEE257898DA8B6249FDF38 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Desktop\talkcontent.rtf | binary | |
MD5:25096ED2131E0B7F70CD33975022AB3C | SHA256:8C604C805E1AD1BC6D4250F87564B2920C0EE35772EC76EBC7212468E0C6E9D0 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | binary | |
MD5:0CFBA69672E5C4A94A8BC0497669DCC4 | SHA256:32B1EF960591C9A06D6948D63BFA59E63BFF13D6D156DEF91CA8A65839C7FCC3 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Desktop\NIFPEAZC-M556-R7CW-07D24AEF-0B173E5CEF78.asasin | text | |
MD5:6C544795CAA8534EDA3B1B7275D7E880 | SHA256:A4ABCC8DC92C5B7A286504A49B1229A7008585C9F11A7A796868FDE58F65464E | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Desktop\reallyeditor.rtf | binary | |
MD5:574EFBB8E9BB2B842FCA470037C8193A | SHA256:CC0092FC62A57222EA2DF6323E9C29CCCA7F2FDF67C47D8D272C4CAF5A345B27 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 | binary | |
MD5:1CD7AD090A2DB1B68CB9F04D213CC7B9 | SHA256:B26F0077BD53FDEAA4999DEFB0B396556C2BFDEDF8004F144C093A591327FD52 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Documents\Outlook Files\NIFPEAZC-M556-R7CW-B8A9C92C-0E8C64D462D4.asasin | pst | |
MD5:21CC8FF20FE6574731A46D01B7A91C9B | SHA256:D9DD4E0DD6E550118E5C8EEDD0409AAD7081FFD66DA41B34A48C4C9A28416845 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Desktop\NIFPEAZC-M556-R7CW-81AB6E71-CAC42BDE1CB6.asasin | text | |
MD5:02DB0C5C4E7820BAA3A9E81CDEAA1E47 | SHA256:7E568CFA04442C0295F5FF7712524DD8B0272E4C4C74DEC4DD947327718542F5 | |||
2800 | lockyRansomware.bin.exe | C:\Users\admin\Desktop\NIFPEAZC-M556-R7CW-9AB97E4B-04E3054B0EAB.asasin | text | |
MD5:47EB4176C70AF2B74151A4F07E5CDE56 | SHA256:7C4EE412B65C35C43BE260BC1DDCB71E0DC450D1359C9A9FAA43699D5CA82711 |