Malware Analysis Report

2024-10-19 10:31

Sample ID 220713-r8ytzaffgq
Target d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.bin
SHA256 d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc
Tags
locky ransomware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc

Threat Level: Known bad

The file d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.bin was found to be: Known bad.

Malicious Activity Summary

locky ransomware suricata

Locky

suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

suricata: ET MALWARE Locky CnC checkin Nov 21

Sets desktop wallpaper using registry

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-13 14:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-13 14:52

Reported

2022-07-13 14:55

Platform

win10v2004-20220414-en

Max time kernel

155s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe"

Signatures

Locky

ransomware locky

suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

suricata

suricata: ET MALWARE Locky CnC checkin Nov 21

suricata

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\_HOWDO_text.bmp" C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe

"C:\Users\Admin\AppData\Local\Temp\d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc.exe"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
RU 94.242.55.225:80 tcp
FR 5.196.200.247:80 5.196.200.247 tcp
US 8.8.8.8:53 dmhkhjlqfw.org udp
US 8.8.8.8:53 ompiysm.ru udp
US 8.8.8.8:53 ofatonkedbkvn.xyz udp
US 8.8.8.8:53 nirjksnlck.pw udp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 mvqmjsud.work udp
US 8.8.8.8:53 tnmejrsbem.biz udp
US 8.8.8.8:53 nirjksnlck.pw udp
US 8.8.8.8:53 owglrcibexvcmsp.su udp
RU 94.242.55.225:80 tcp
FR 5.196.200.247:80 5.196.200.247 tcp
US 8.8.8.8:53 bkuwurxouib.org udp
US 8.8.8.8:53 mvqmjsud.work udp
US 8.8.8.8:53 wkwvvyathqdni.su udp
US 8.8.8.8:53 nwmtlck.pl udp
US 8.8.8.8:53 ompiysm.ru udp
US 8.8.8.8:53 tnmejrsbem.biz udp
US 8.8.8.8:53 bkuwurxouib.org udp
US 8.8.8.8:53 wkwvvyathqdni.su udp
US 8.8.8.8:53 lbeyoewurdyu.pl udp
US 8.8.8.8:53 ofatonkedbkvn.xyz udp
RU 94.242.55.225:80 tcp

Files

memory/4972-131-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4972-132-0x0000000000BB0000-0x0000000000BD7000-memory.dmp

memory/4972-133-0x0000000000400000-0x0000000000430000-memory.dmp