ZIP’d WSF File Drops Locky Ransomware

IOCs: – – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM – – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM – – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM – – POST /data/info.php – – POST /data/info.php

SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575
File name: asWMWhWmB3.dll and asWMWhWmB1.dll

SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7
File name: asWMWhWmB2.dll

The user received the following malspam:

Subject: 39098622pdf
Attachment =

Opening the attachment shows a Windows Script File called “uMRPhx3” (30,486 bytes):

Executing the script caused the host to make 3 GET requests:

These GET requests correspond with 3 DLLs dropped into AppData > Local > Temp:

There are only two unique files out of those 3 DLLs since the hash for both asWMWhWmB3.dll and asWMWhWmB1.dll are the same. Both unique files scanned malicious for Locky ransomware.

Following the GET requests for the Locky payloads there were POST requests to what appear to be DGA’s (callback traffic):

Files were appended with .zepto and there were the typical Locky ransom notes dropped on the Desktop, etc:

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: