Analysis Overview
SHA256
5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8
Threat Level: Known bad
The file 5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8 was found to be: Known bad.
Malicious Activity Summary
Locky
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-31 23:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-31 23:21
Reported
2022-08-01 02:52
Platform
win7-20220715-en
Max time kernel
154s
Max time network
141s
Command Line
Signatures
Locky
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1808 set thread context of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe
"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"
C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe
"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 94.242.55.81:80 | 94.242.55.81 | tcp |
| RU | 80.87.202.49:80 | 80.87.202.49 | tcp |
| RU | 95.46.114.205:80 | tcp | |
| US | 8.8.8.8:53 | gbemgvaxlhjsufdqj.click | udp |
| US | 8.8.8.8:53 | tnadfqqfchv.click | udp |
| US | 8.8.8.8:53 | tcvotxeyyihmul.xyz | udp |
| US | 8.8.8.8:53 | omktglfhxdssep.work | udp |
| US | 8.8.8.8:53 | fjrshlblbxecvaegg.pw | udp |
| US | 8.8.8.8:53 | pxendansvvekyynkb.ru | udp |
| US | 8.8.8.8:53 | jqfmooryomsq.work | udp |
| RU | 95.46.114.205:80 | tcp | |
| US | 8.8.8.8:53 | qcaehevwsrrno.info | udp |
| US | 8.8.8.8:53 | roxwfqyiamsislu.pw | udp |
| US | 8.8.8.8:53 | vmpiabbcm.info | udp |
| RU | 94.242.55.81:80 | 94.242.55.81 | tcp |
Files
memory/1808-54-0x0000000076281000-0x0000000076283000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso652C.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
memory/1808-56-0x0000000002310000-0x0000000002F5A000-memory.dmp
memory/1452-57-0x00000000001C56BA-mapping.dmp
memory/1452-59-0x00000000001C0000-0x00000000001E7000-memory.dmp
memory/1452-60-0x0000000000280000-0x00000000002A7000-memory.dmp
memory/1452-61-0x0000000000280000-0x00000000002A7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-31 23:21
Reported
2022-08-01 02:52
Platform
win10v2004-20220721-en
Max time kernel
236s
Max time network
229s
Command Line
Signatures
Locky
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3340 set thread context of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe
"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"
C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe
"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 67.26.207.254:80 | tcp | |
| US | 8.238.21.254:80 | tcp | |
| US | 8.253.208.121:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 8.253.146.120:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| RU | 80.87.202.49:80 | 80.87.202.49 | tcp |
| RU | 94.242.55.81:80 | 94.242.55.81 | tcp |
| RU | 95.46.114.205:80 | tcp | |
| US | 8.8.8.8:53 | tnadfqqfchv.click | udp |
| US | 8.8.8.8:53 | omktglfhxdssep.work | udp |
| US | 8.8.8.8:53 | jqfmooryomsq.work | udp |
| US | 8.8.8.8:53 | gbemgvaxlhjsufdqj.click | udp |
| US | 8.8.8.8:53 | tcvotxeyyihmul.xyz | udp |
| US | 8.8.8.8:53 | pgkovpn.org | udp |
| US | 67.26.211.254:80 | tcp | |
| US | 8.8.8.8:53 | fjrshlblbxecvaegg.pw | udp |
| US | 8.8.8.8:53 | ctjyugqkely.biz | udp |
| US | 8.8.8.8:53 | pxendansvvekyynkb.ru | udp |
| US | 8.8.8.8:53 | tnadfqqfchv.click | udp |
| RU | 95.46.114.205:80 | tcp | |
| US | 8.8.8.8:53 | qcaehevwsrrno.info | udp |
| US | 8.8.8.8:53 | vmpiabbcm.info | udp |
| US | 8.8.8.8:53 | tcvotxeyyihmul.xyz | udp |
| US | 8.8.8.8:53 | tnadfqqfchv.click | udp |
| US | 8.8.8.8:53 | fjrshlblbxecvaegg.pw | udp |
| US | 8.8.8.8:53 | qcaehevwsrrno.info | udp |
| US | 8.8.8.8:53 | gbemgvaxlhjsufdqj.click | udp |
| US | 8.8.8.8:53 | ctjyugqkely.biz | udp |
| US | 8.8.8.8:53 | roxwfqyiamsislu.pw | udp |
| US | 8.8.8.8:53 | pgkovpn.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsdB4CB.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
memory/3340-131-0x0000000003010000-0x000000000302D000-memory.dmp
memory/3340-132-0x0000000003010000-0x000000000302D000-memory.dmp
memory/4000-133-0x0000000000000000-mapping.dmp
memory/4000-134-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/4000-135-0x0000000001FB0000-0x0000000001FD7000-memory.dmp
memory/4000-136-0x0000000001FB0000-0x0000000001FD7000-memory.dmp