Malware Analysis Report

2024-10-19 10:31

Sample ID 220712-plpaxaaacp
Target 4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd
SHA256 4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd
Tags
locky ransomware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd

Threat Level: Known bad

The file 4ab3999b9aa14d0eae351803736103b76a33734805b8c8193a72d06fc6986dcd was found to be: Known bad.

Malicious Activity Summary

locky ransomware suricata

Locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-12 12:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 12:25

Reported

2022-07-12 17:22

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Locky

ransomware locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

suricata

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
BE 67.27.153.254:80 tcp
FR 51.254.181.122:80 51.254.181.122 tcp
KZ 78.40.108.39:80 78.40.108.39 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 52.109.12.19:443 tcp
US 93.184.220.29:80 tcp
US 204.79.197.200:443 tcp
FR 149.202.109.205:80 tcp
PL 91.195.12.187:80 tcp
US 204.79.197.200:443 tcp
IE 20.54.89.15:443 tcp
US 20.189.173.14:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
UA 195.64.154.114:80 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
RU 188.127.231.116:80 188.127.231.116 tcp
US 8.8.8.8:53 hmehcdvv.pw udp
US 8.8.8.8:53 cvirg.us udp
US 8.8.8.8:53 ewjkrtnwyjfqib.ru udp
US 8.8.8.8:53 ygnvifghkun.yt udp
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 bautfvkqo.uk udp
US 8.8.8.8:53 kxpqbgq.nl udp
US 8.8.8.8:53 fhmahtiomfpjffy.us udp
US 8.8.8.8:53 hiutjkyqpgwsv.yt udp
FR 51.254.181.122:80 51.254.181.122 tcp
KZ 78.40.108.39:80 78.40.108.39 tcp
FR 149.202.109.205:80 tcp
PL 91.195.12.187:80 tcp
UA 195.64.154.114:80 tcp
RU 188.127.231.116:80 188.127.231.116 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 12:25

Reported

2022-07-12 17:22

Platform

win7-20220414-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Locky

ransomware locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

suricata

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
RU 188.127.231.116:80 188.127.231.116 tcp
FR 51.254.181.122:80 51.254.181.122 tcp
KZ 78.40.108.39:80 78.40.108.39 tcp
FR 149.202.109.205:80 tcp
PL 91.195.12.187:80 tcp
UA 195.64.154.114:80 tcp
US 8.8.8.8:53 hmehcdvv.pw udp
US 8.8.8.8:53 cvirg.us udp
US 8.8.8.8:53 ewjkrtnwyjfqib.ru udp
US 8.8.8.8:53 ygnvifghkun.yt udp
US 8.8.8.8:53 bautfvkqo.uk udp
US 8.8.8.8:53 kxpqbgq.nl udp
US 8.8.8.8:53 fhmahtiomfpjffy.us udp
US 8.8.8.8:53 hiutjkyqpgwsv.yt udp
RU 188.127.231.116:80 188.127.231.116 tcp
FR 51.254.181.122:80 51.254.181.122 tcp
KZ 78.40.108.39:80 78.40.108.39 tcp
FR 149.202.109.205:80 tcp

Files

memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp