Analysis Overview
SHA256
4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd
Threat Level: Known bad
The file 4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd was found to be: Known bad.
Malicious Activity Summary
Locky
suricata: ET MALWARE Ransomware Locky CnC Beacon
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-12 12:25
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-12 12:25
Reported
2022-07-12 17:22
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Locky
suricata: ET MALWARE Ransomware Locky CnC Beacon
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| BE | 67.27.153.254:80 | tcp | |
| FR | 51.254.181.122:80 | 51.254.181.122 | tcp |
| KZ | 78.40.108.39:80 | 78.40.108.39 | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.109.12.19:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| FR | 149.202.109.205:80 | tcp | |
| PL | 91.195.12.187:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| IE | 20.54.89.15:443 | tcp | |
| US | 20.189.173.14:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| UA | 195.64.154.114:80 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| RU | 188.127.231.116:80 | 188.127.231.116 | tcp |
| US | 8.8.8.8:53 | hmehcdvv.pw | udp |
| US | 8.8.8.8:53 | cvirg.us | udp |
| US | 8.8.8.8:53 | ewjkrtnwyjfqib.ru | udp |
| US | 8.8.8.8:53 | ygnvifghkun.yt | udp |
| US | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | bautfvkqo.uk | udp |
| US | 8.8.8.8:53 | kxpqbgq.nl | udp |
| US | 8.8.8.8:53 | fhmahtiomfpjffy.us | udp |
| US | 8.8.8.8:53 | hiutjkyqpgwsv.yt | udp |
| FR | 51.254.181.122:80 | 51.254.181.122 | tcp |
| KZ | 78.40.108.39:80 | 78.40.108.39 | tcp |
| FR | 149.202.109.205:80 | tcp | |
| PL | 91.195.12.187:80 | tcp | |
| UA | 195.64.154.114:80 | tcp | |
| RU | 188.127.231.116:80 | 188.127.231.116 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-12 12:25
Reported
2022-07-12 17:22
Platform
win7-20220414-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Locky
suricata: ET MALWARE Ransomware Locky CnC Beacon
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 188.127.231.116:80 | 188.127.231.116 | tcp |
| FR | 51.254.181.122:80 | 51.254.181.122 | tcp |
| KZ | 78.40.108.39:80 | 78.40.108.39 | tcp |
| FR | 149.202.109.205:80 | tcp | |
| PL | 91.195.12.187:80 | tcp | |
| UA | 195.64.154.114:80 | tcp | |
| US | 8.8.8.8:53 | hmehcdvv.pw | udp |
| US | 8.8.8.8:53 | cvirg.us | udp |
| US | 8.8.8.8:53 | ewjkrtnwyjfqib.ru | udp |
| US | 8.8.8.8:53 | ygnvifghkun.yt | udp |
| US | 8.8.8.8:53 | bautfvkqo.uk | udp |
| US | 8.8.8.8:53 | kxpqbgq.nl | udp |
| US | 8.8.8.8:53 | fhmahtiomfpjffy.us | udp |
| US | 8.8.8.8:53 | hiutjkyqpgwsv.yt | udp |
| RU | 188.127.231.116:80 | 188.127.231.116 | tcp |
| FR | 51.254.181.122:80 | 51.254.181.122 | tcp |
| KZ | 78.40.108.39:80 | 78.40.108.39 | tcp |
| FR | 149.202.109.205:80 | tcp |
Files
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp