Locky Ransomware (Lukitus Variant) | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-08-17 15:53 (UTC+2) |
| VM Analysis Duration Time | 00:02:27 |
| Execution Successful |
|
| Sample Filename | 098073.doc |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 7 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 16 |
| VTI Rule Type | Documents |
|
The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The overall sleep time of all monitored processes was truncated from 31 seconds to 10 seconds to reveal dormant functionality. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x9d8 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" | |
| #2 | 0xb68 | Child Process | Medium | agraba8.exe | "C:\Users\aETAdzjz\AppData\Local\Temp\agraba8.exe" | #1 |
| #3 | 0x728 | Created Scheduled Job | System (Elevated) | taskeng.exe | taskeng.exe {4E22B586-9520-4D04-A683-CAB40E860F60} S-1-5-18:NT AUTHORITY\System:Service: | #2 |
| #4 | 0x5f8 | Created Scheduled Job | High (Elevated) | taskeng.exe | taskeng.exe {A63D8ADE-049B-493D-9EF8-CBCBD23E6074} S-1-5-21-2345716840-1148442690-1481144037-1000:YKYD69Q\aETAdzjz:Interactive:Highest[1] | #2 |
| #5 | 0x8e0 | Child Process | Medium | iexplore.exe | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome | #2 |
| #8 | 0x7b0 | Child Process | Medium | cmd.exe | cmd.exe /C del /Q /F "C:\Users\aETAdzjz\AppData\Local\Temp\agraba8.exe" | #2 |
| #9 | 0x24c | Child Process | Medium | iexplore.exe | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2272 CREDAT:14337 | #5 |
| ID | #17444 |
| MD5 Hash Value | e458cf8ec7484ba8e24650b197d3e234 |
| SHA1 Hash Value | 4bd7a1b511c1f33f635ce05045ad66c4cb3840a5 |
| SHA256 Hash Value | 58d2c72e0806714172ed49659b1c967a78de387e5b330850968fb4e823474794 |
| Filename | 098073.doc |
| File Size | 48.46 KB (49622 bytes) |
| File Type | Word Document |
| Has VBA Macros |
|
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-08-15 17:43 |
| Microsoft Office Version | 2016 |
| Microsoft Word Version | 16.0.4266.1003 |
| Internet Explorer Version | 8.0.7601.17514 |
| Chrome Version | 59.0.3071.115 |
| Firefox Version | 25.0 |
| Flash Version | 10.3.183.90 |
| Java Version | 7.0.710 |
| VM Name | win7_64_sp1-mso2016 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
