Analysis Overview
SHA256
4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876
Threat Level: Known bad
The file 4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876 was found to be: Known bad.
Malicious Activity Summary
Locky
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-12 13:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-12 13:55
Reported
2022-07-13 00:05
Platform
win7-20220414-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1092 set thread context of 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe
"C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe"
C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe
"C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 91.201.41.91:80 | tcp | |
| US | 8.8.8.8:53 | cwxqbbeblfqqi.pl | udp |
| US | 8.8.8.8:53 | qoeyciqa.click | udp |
| US | 8.8.8.8:53 | wtlffnqrxmdb.org | udp |
| US | 8.8.8.8:53 | lipaepes.pw | udp |
| US | 8.8.8.8:53 | vuyfkbr.info | udp |
| US | 8.8.8.8:53 | qkmksujx.xyz | udp |
| US | 8.8.8.8:53 | vmnyygchbj.info | udp |
| US | 8.8.8.8:53 | axpetbwopqnul.click | udp |
| US | 8.8.8.8:53 | tjbueodhtfgwxsw.click | udp |
| RU | 91.201.41.91:80 | tcp | |
| US | 8.8.8.8:53 | edmobrixwk.pl | udp |
| US | 8.8.8.8:53 | pydjtgutbpmhwqgt.pl | udp |
| US | 8.8.8.8:53 | nwtuwyo.org | udp |
Files
memory/1092-54-0x0000000075F61000-0x0000000075F63000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd13E0.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
memory/1092-56-0x00000000007E0000-0x00000000007FE000-memory.dmp
memory/1260-57-0x00000000001D56BA-mapping.dmp
memory/1092-59-0x00000000007E0000-0x00000000007FE000-memory.dmp
memory/1260-60-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/1260-61-0x0000000000290000-0x00000000002B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-12 13:55
Reported
2022-07-13 00:05
Platform
win10v2004-20220414-en
Max time kernel
166s
Max time network
165s
Command Line
Signatures
Locky
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4788 set thread context of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe
"C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe"
C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe
"C:\Users\Admin\AppData\Local\Temp\4a4de5b3e6eb0189b0ccaf6445696e1e167bcd03be5712d352dc2f96257b4876.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 91.201.41.91:80 | tcp | |
| US | 20.42.65.85:443 | tcp | |
| US | 8.8.8.8:53 | nwtuwyo.org | udp |
| US | 8.8.8.8:53 | qoeyciqa.click | udp |
| US | 8.8.8.8:53 | wtlffnqrxmdb.org | udp |
| US | 8.8.8.8:53 | vuyfkbr.info | udp |
| US | 8.8.8.8:53 | cwxqbbeblfqqi.pl | udp |
| US | 8.8.8.8:53 | lipaepes.pw | udp |
| US | 8.253.208.112:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | lipaepes.pw | udp |
| US | 8.8.8.8:53 | qoeyciqa.click | udp |
| US | 8.8.8.8:53 | tjbueodhtfgwxsw.click | udp |
| RU | 91.201.41.91:80 | tcp | |
| US | 8.8.8.8:53 | tjbueodhtfgwxsw.click | udp |
| US | 8.8.8.8:53 | nwtuwyo.org | udp |
| US | 8.8.8.8:53 | qoeyciqa.click | udp |
| US | 8.8.8.8:53 | lipaepes.pw | udp |
| US | 8.253.208.112:80 | tcp | |
| US | 8.8.8.8:53 | wtlffnqrxmdb.org | udp |
| US | 8.8.8.8:53 | vuyfkbr.info | udp |
| US | 8.8.8.8:53 | qkmksujx.xyz | udp |
| US | 8.8.8.8:53 | nwtuwyo.org | udp |
| RU | 91.201.41.91:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nssC307.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
memory/4788-131-0x0000000002820000-0x000000000283E000-memory.dmp
memory/1888-132-0x0000000000000000-mapping.dmp
memory/4788-133-0x0000000002820000-0x000000000283E000-memory.dmp
memory/1888-134-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/1888-135-0x0000000000720000-0x0000000000747000-memory.dmp
memory/1888-136-0x0000000000720000-0x0000000000747000-memory.dmp