Managed XDR

exemplar (Locky) — malware analysis report

File info

Filename: exemplar
File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size: 591 KB
First seen: 2025-10-07 01:22
Last seen: 2025-10-07 01:22

Environment

win7/x86 en

Hashes

SHA1: 3b1b95ced4da55137d79619ec4c0c7eb44e75b54
SHA256: abd90fe555c420f7f1384e19f7d685a4b4c0ef6c03384431dfb4a732f82215fc
MD5: b5ba921e56fc3c85ee8e237d5835fdac

Malwares

Locky

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1480 system_default_lang_id_present: Checks the system language

T1070.004 self_removal_command: Executes command to delete itself

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Discovery

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)

T1486 ransomware_windows_possible: Ransomware indicators detected (possible ransom window creation)

T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

T1486 modifies_files2: Cryptolocker indicators detected (100 or more files are modified)

T1486 ransomware_extensions: Ransomware(s) Locky indicators detected (specific extension is added to files)

Other

yara_rules: Static rules

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

creates_in_programdata: Creates files in the ProgramData directory

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call