Malware Analysis Report

2024-10-19 10:31

Sample ID 220801-gcqhlscbb3
Target 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3
SHA256 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3
Tags
locky ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3

Threat Level: Known bad

The file 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3 was found to be: Known bad.

Malicious Activity Summary

locky ransomware

Locky

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-08-01 05:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-01 05:39

Reported

2022-08-01 07:25

Platform

win7-20220718-en

Max time kernel

156s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe"

Signatures

Locky

ransomware locky

Processes

C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe

"C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe"

Network

Country Destination Domain Proto
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 tcp
RU 95.181.171.58:80 tcp
NL 185.14.30.97:80 tcp

Files

memory/1608-54-0x00000000756C1000-0x00000000756C3000-memory.dmp

memory/1608-55-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1608-57-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1608-58-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-01 05:39

Reported

2022-08-01 07:23

Platform

win10v2004-20220722-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe"

Signatures

Locky

ransomware locky

Processes

C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe

"C:\Users\Admin\AppData\Local\Temp\5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 mvbbkuslvxkb.us udp
US 8.8.8.8:53 dqefredqucnwpwo.nl udp
NL 185.14.30.97:80 185.14.30.97 tcp
RU 95.181.171.58:80 tcp
US 8.8.8.8:53 cojwkeoh.it udp
US 8.8.8.8:53 pejngrdydlq.it udp
US 8.8.8.8:53 hqlnyfibug.it udp
US 8.8.8.8:53 ugiasmoayhrii.fr udp

Files

memory/4948-132-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4948-134-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4948-135-0x0000000000400000-0x000000000042D000-memory.dmp