Ransom

Ransom.Locky.143 (file analysis)

Malware Removal

The Ransom.Locky.143 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom.Locky.143 virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Injection (Process Hollowing)
  • Creates RWX memory
  • At least one IP Address, Domain, or File Name was found in a crypto call
  • Reads data out of its own binary image
  • A process created a hidden window
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary likely contains encrypted or compressed data.
  • Uses Windows utilities for basic functionality
  • Executed a process and injected code into it, probably while unpacking
  • Attempts to delete volume shadow copies
  • Installs itself for autorun at Windows startup
  • Exhibits possible ransomware file modification behavior
  • Creates a hidden or system file
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities

How to determine Ransom.Locky.143?



File Info:

crc32: 7C405EED
md5: 696edc38320cdd5cea2e0fa87c2b1164
name: 696EDC38320CDD5CEA2E0FA87C2B1164.mlw
sha1: 88d841a2b2d8e9abbbedbc4c46f8933c7aec6e5c
sha256: 8b3de691ca7df5592a82e5ef2e4fdf15bc10aa5e7bb82289498e54367f37c068
sha512: c0a1805602422cfe12f8599b8e674ad1aec01df8fe7d01db68de04f61c59706f8479e4fe6b26c3044fc9d5ce402ebbbc334a6f93a85edd0a80f51d5988078539
ssdeep: 3072:id7658PaNWzqWrLWzZE44wwxuvyViqOas0CLE3rOh+4mDuz:47k8Phzl654wwxikfV7WG2
type: PE32 executable (GUI) Intel 80386, for MS Windows


Version Info:

LegalCopyright: Copyright (C) 2001
InternalName: FlashPlay
FileVersion: 0, 3, 0, 0
CompanyName: Studio
PrivateBuild: 1
LegalTrademarks: Flash Play
Comments: Author:XRH  
ProductName: FlashPlay Application
SpecialBuild: 1
ProductVersion: 0, 3, 0, 0
FileDescription: Flash Player Utility
OriginalFilename: FlashPlay.EXE
Translation: 0x0409 0x04b0

Ransom.Locky.143 also known as:

K7AntiVirusTrojan ( 0050bc621 )
Elasticmalicious (high confidence)
DrWebTrojan.Encoder.3976
CynetMalicious (score: 100)
ALYacGen:Variant.Ransom.Locky.143
CylanceUnsafe
ZillyaTrojan.Banker.Win32.110458
SangforTrojan.Win32.Generic.5
CrowdStrikewin/malicious_confidence_100% (W)
AlibabaRansom:Win32/Spora.d3670be0
K7GWTrojan ( 0050bc621 )
Cybereasonmalicious.8320cd
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Injector.DNYE
ZonerTrojan.Win32.56525
APEXMalicious
AvastWin32:Rootkit-gen [Rtk]
ClamAVWin.Trojan.Yakes-7008632-0
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Variant.Ransom.Locky.143
NANO-AntivirusTrojan.Win32.Inject.enuioz
MicroWorld-eScanGen:Variant.Ransom.Locky.143
TencentMalware.Win32.Gencirc.114a442d
Ad-AwareGen:Variant.Ransom.Locky.143
SophosMal/Generic-S
ComodoMalware@#1dj12238fl2ws
BitDefenderThetaGen:NN.ZexaF.34608.lq0@ae3qfCij
VIPRETrojan.Win32.Generic!BT
TrendMicroRansom_SPORA.F117DR
McAfee-GW-EditionBehavesLike.Win32.Dropper.ch
FireEyeGeneric.mg.696edc38320cdd5c
EmsisoftGen:Variant.Ransom.Locky.143 (B)
SentinelOneStatic AI – Suspicious PE
AviraTR/AD.Spora.bdftb
eGambitUnsafe.AI_Score_76%
KingsoftWin32.Troj.Undef.(kcloud)
MicrosoftRansom:Win32/Spora.A
ArcabitTrojan.Ransom.Locky.143
AegisLabTrojan.Win32.Spora.j!c
GDataGen:Variant.Ransom.Locky.143
McAfeeGenericRXBH-NI!696EDC38320C
MAXmalware (ai score=84)
VBA32Backdoor.Poison
MalwarebytesRansom.Spora
PandaTrj/CI.A
TrendMicro-HouseCallRansom_SPORA.F117DR
RisingBackdoor.Poison!8.2D7 (CLOUD)
IkarusTrojan.Win32.Injector
MaxSecureTrojan.Malware.7164915.susgen
FortinetW32/Injector.DNYE!tr
AVGWin32:Rootkit-gen [Rtk]
Paloaltogeneric.ml
Qihoo-360Win32/Ransom.Spora.HgIASOMA

How to remove Ransom.Locky.143?

Ransom.Locky.143 removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment