Malware Analysis Report

2024-10-19 10:31

Sample ID 220724-cqmxesbddl
Target 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef
SHA256 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef
Tags
locky ransomware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef

Threat Level: Known bad

The file 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef was found to be: Known bad.

Malicious Activity Summary

locky ransomware suricata

Locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-24 02:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 02:16

Reported

2022-07-24 02:19

Platform

win7-20220715-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe"

Signatures

Locky

ransomware locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

suricata

Processes

C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe

"C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe"

Network

Country Destination Domain Proto
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp

Files

memory/1064-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

memory/1064-55-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1064-57-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1064-58-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 02:16

Reported

2022-07-24 02:19

Platform

win10v2004-20220721-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe"

Signatures

Locky

ransomware locky

suricata: ET MALWARE Ransomware Locky CnC Beacon

suricata

Processes

C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe

"C:\Users\Admin\AppData\Local\Temp\59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef.exe"

Network

Country Destination Domain Proto
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
AU 104.46.162.224:443 tcp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.253.183.249:80 tcp
US 8.253.183.249:80 tcp
US 8.253.183.249:80 tcp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 xcfenmbarmoym.in udp
US 8.8.8.8:53 pohedecwbdaj.de udp
US 8.8.8.8:53 dehucnutrdamaiq.yt udp
US 8.8.8.8:53 qtehyux.us udp
US 8.8.8.8:53 ijwlcs.in udp
US 8.8.8.8:53 vvgxnyicy.be udp
RU 95.181.171.58:80 tcp

Files

memory/1576-130-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1576-132-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1576-133-0x0000000000400000-0x000000000042D000-memory.dmp