Malware Analysis Report

2024-10-19 10:31

Sample ID 220731-3b3bnsdghq
Target 5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8
SHA256 5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8
Tags
locky ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8

Threat Level: Known bad

The file 5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8 was found to be: Known bad.

Malicious Activity Summary

locky ransomware

Locky

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-31 23:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 23:21

Reported

2022-08-01 02:52

Platform

win7-20220715-en

Max time kernel

154s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

Signatures

Locky

ransomware locky

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

Network

Country Destination Domain Proto
RU 94.242.55.81:80 94.242.55.81 tcp
RU 80.87.202.49:80 80.87.202.49 tcp
RU 95.46.114.205:80 tcp
US 8.8.8.8:53 gbemgvaxlhjsufdqj.click udp
US 8.8.8.8:53 tnadfqqfchv.click udp
US 8.8.8.8:53 tcvotxeyyihmul.xyz udp
US 8.8.8.8:53 omktglfhxdssep.work udp
US 8.8.8.8:53 fjrshlblbxecvaegg.pw udp
US 8.8.8.8:53 pxendansvvekyynkb.ru udp
US 8.8.8.8:53 jqfmooryomsq.work udp
RU 95.46.114.205:80 tcp
US 8.8.8.8:53 qcaehevwsrrno.info udp
US 8.8.8.8:53 roxwfqyiamsislu.pw udp
US 8.8.8.8:53 vmpiabbcm.info udp
RU 94.242.55.81:80 94.242.55.81 tcp

Files

memory/1808-54-0x0000000076281000-0x0000000076283000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso652C.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/1808-56-0x0000000002310000-0x0000000002F5A000-memory.dmp

memory/1452-57-0x00000000001C56BA-mapping.dmp

memory/1452-59-0x00000000001C0000-0x00000000001E7000-memory.dmp

memory/1452-60-0x0000000000280000-0x00000000002A7000-memory.dmp

memory/1452-61-0x0000000000280000-0x00000000002A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 23:21

Reported

2022-08-01 02:52

Platform

win10v2004-20220721-en

Max time kernel

236s

Max time network

229s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

Signatures

Locky

ransomware locky

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe

"C:\Users\Admin\AppData\Local\Temp\5d789e79aa723ebc576297623719d78211bc3bb61bb04af2556e59dfacf61cc8.exe"

Network

Country Destination Domain Proto
US 67.26.207.254:80 tcp
US 8.238.21.254:80 tcp
US 8.253.208.121:80 tcp
GB 51.104.15.253:443 tcp
US 8.253.146.120:80 tcp
US 93.184.220.29:80 tcp
RU 80.87.202.49:80 80.87.202.49 tcp
RU 94.242.55.81:80 94.242.55.81 tcp
RU 95.46.114.205:80 tcp
US 8.8.8.8:53 tnadfqqfchv.click udp
US 8.8.8.8:53 omktglfhxdssep.work udp
US 8.8.8.8:53 jqfmooryomsq.work udp
US 8.8.8.8:53 gbemgvaxlhjsufdqj.click udp
US 8.8.8.8:53 tcvotxeyyihmul.xyz udp
US 8.8.8.8:53 pgkovpn.org udp
US 67.26.211.254:80 tcp
US 8.8.8.8:53 fjrshlblbxecvaegg.pw udp
US 8.8.8.8:53 ctjyugqkely.biz udp
US 8.8.8.8:53 pxendansvvekyynkb.ru udp
US 8.8.8.8:53 tnadfqqfchv.click udp
RU 95.46.114.205:80 tcp
US 8.8.8.8:53 qcaehevwsrrno.info udp
US 8.8.8.8:53 vmpiabbcm.info udp
US 8.8.8.8:53 tcvotxeyyihmul.xyz udp
US 8.8.8.8:53 tnadfqqfchv.click udp
US 8.8.8.8:53 fjrshlblbxecvaegg.pw udp
US 8.8.8.8:53 qcaehevwsrrno.info udp
US 8.8.8.8:53 gbemgvaxlhjsufdqj.click udp
US 8.8.8.8:53 ctjyugqkely.biz udp
US 8.8.8.8:53 roxwfqyiamsislu.pw udp
US 8.8.8.8:53 pgkovpn.org udp

Files

C:\Users\Admin\AppData\Local\Temp\nsdB4CB.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/3340-131-0x0000000003010000-0x000000000302D000-memory.dmp

memory/3340-132-0x0000000003010000-0x000000000302D000-memory.dmp

memory/4000-133-0x0000000000000000-mapping.dmp

memory/4000-134-0x00000000001D0000-0x00000000001F7000-memory.dmp

memory/4000-135-0x0000000001FB0000-0x0000000001FD7000-memory.dmp

memory/4000-136-0x0000000001FB0000-0x0000000001FD7000-memory.dmp