Locky.A_140_1_1 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive
Mutexes created
- Global\Da1a9a1a5aEaDa3aFa8a3aFa7a2a7a2a
- Local\Da1a9a1a5aEaDa3aFa8a3aFa7a2a7a2a
- _!MSFTHISTORY!_
- c:!documents and settings!soumy!local settings!temporary internet files!content.ie5!
- c:!documents and settings!soumy!cookies!
- c:!documents and settings!soumy!local settings!history!history.ie5!
- WininetStartupMutex
- WininetConnectionMutex
- WininetProxyRegistryMutex
Directory level activity
File level activity- write - file - PIPE\lsarpc
Registry level activity- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory
Library level activity- load - library - KERNEL32.DLL
- load - library - rsaenh.dll
- load - library - NTMARTA.DLL
- load - library - kernel32.dll
- load - library - Secur32.dll
- load - library - shell32.dll
- load - library - KERNEL32
- load - library - rnaapp.exe
- load - library - kernel32.dll
Process API calls used
- NtFreeVirtualMemory
- NtCreateSection
- ZwMapViewOfSection
- NtOpenSection
- ZwMapViewOfSection
Registry API calls used
- NtOpenKey
- RegOpenKeyExA
- RegQueryValueExA
- RegCloseKey
- NtQueryValueKey
- RegOpenKeyExW
- RegCreateKeyExW
- RegQueryValueExW
- RegSetValueExW
- RegSetValueExA
- RegEnumKeyExA
- RegEnumValueA
- RegQueryValueExA
System API calls used
- LdrGetDllHandle
- LdrGetProcedureAddress
- NtDelayExecution
- LdrLoadDll
- NtDelayExecution
Filesystem API calls used
- NtOpenFile
- NtQueryInformationFile
- NtCreateFile
- NtReadFile
- NtSetInformationFile
- NtWriteFile
- NtDeviceIoControlFile
- NtDeviceIoControlFile
Network
UDP source >> destination
- 192.168.30.254 >> 192.168.30.6
- 192.168.30.6 >> 192.168.30.255
TCP source >> destination
- 192.168.30.6 >> 192.168.30.254
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 11
- KERNEL32.dll
- USER32.dll
- GDI32.dll
- ADVAPI32.dll
- SHELL32.dll
- ole32.dll
- OLEAUT32.dll
- WININET.dll
- MPR.dll
- NETAPI32.dll
- urlmon.dll
|
