Windows
Analysis Report
LockyRansom.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
LockyRansom.exe (PID: 6924 cmdline:
"C:\Users\ user\Deskt op\LockyRa nsom.exe" MD5: 1720B1748AD7B8AC0BFC1C3636FEAD95)
- cleanup
Timestamp: | 05/23/24-01:13:30.810315 |
SID: | 2023551 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:53.178351 |
SID: | 2023551 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:53.178351 |
SID: | 2023577 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:53.178351 |
SID: | 2023552 |
Source Port: | 49706 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:52.300122 |
SID: | 2023551 |
Source Port: | 49705 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:52.300122 |
SID: | 2023552 |
Source Port: | 49705 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:52.300122 |
SID: | 2023577 |
Source Port: | 49705 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:14.647859 |
SID: | 2023552 |
Source Port: | 49708 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:36.143686 |
SID: | 2023577 |
Source Port: | 49709 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:58.402198 |
SID: | 2023551 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:14.647859 |
SID: | 2023551 |
Source Port: | 49708 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:57.599658 |
SID: | 2023577 |
Source Port: | 49710 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:58.402198 |
SID: | 2023552 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:36.143686 |
SID: | 2023552 |
Source Port: | 49709 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:36.143686 |
SID: | 2023551 |
Source Port: | 49709 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:58.402198 |
SID: | 2023577 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:14.647859 |
SID: | 2023577 |
Source Port: | 49708 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:57.599658 |
SID: | 2023551 |
Source Port: | 49710 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:14:57.599658 |
SID: | 2023552 |
Source Port: | 49710 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:30.810315 |
SID: | 2023577 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/23/24-01:13:30.810315 |
SID: | 2023552 |
Source Port: | 49704 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00415310 | |
Source: | Code function: | 0_2_00415410 | |
Source: | Code function: | 0_2_00416170 | |
Source: | Code function: | 0_2_004193D8 | |
Source: | Code function: | 0_2_0041544C | |
Source: | Code function: | 0_2_0040F8D0 | |
Source: | Code function: | 0_2_0040F890 | |
Source: | Code function: | 0_2_0040F8B8 | |
Source: | Code function: | 0_2_0040F980 | |
Source: | Code function: | 0_2_0040FB50 | |
Source: | Code function: | 0_2_0040FB10 | |
Source: | Code function: | 0_2_0040FBF0 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_0042D5D0 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | String found in binary or memory : | ||
Source: | String found in binary or memory : | ||
Source: | String found in binary or memory : |
Source: | Code function: | 0_2_00415410 | |
Source: | Code function: | 0_2_0041544C |
Source: | Code function: | 0_2_004022D0 | |
Source: | Code function: | 0_2_0040A58C | |
Source: | Code function: | 0_2_004029C0 | |
Source: | Code function: | 0_2_0040B2C4 | |
Source: | Code function: | 0_2_0040940E | |
Source: | Code function: | 0_2_0040995F | |
Source: | Code function: | 0_2_00409EB0 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_0040CC4E |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004079B0 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00404718 | |
Source: | Code function: | 0_2_004029BB | |
Source: | Code function: | 0_2_00401426 |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_0-30147 |
Source: | Code function: | 0_2_0040C58C |
Source: | Evasive API call chain: | graph_0-30143 |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0042D5D0 |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-30145 |
Source: | Code function: | 0_2_0040C58C |
Source: | Code function: | 0_2_00405393 |
Source: | Code function: | 0_2_004079B0 |
Source: | Code function: | 0_2_005C007E | |
Source: | Code function: | 0_2_005C03EE | |
Source: | Code function: | 0_2_0069007E | |
Source: | Code function: | 0_2_006903EE |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00405393 | |
Source: | Code function: | 0_2_00403A6C | |
Source: | Code function: | 0_2_00405F08 |
Source: | Code function: | 0_2_0041973D |
Source: | Code function: | 0_2_004197BD |
Source: | Code function: | 0_2_0042E700 |
Source: | Code function: | 0_2_00406718 |
Source: | Code function: | 0_2_00423053 |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 11 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 21 Software Packing | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 114 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
96% | ReversingLabs | Win32.Ransomware.Locky | ||
100% | Avira | TR/Lethic.X | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
46.17.44.153 | unknown | Russian Federation | 51659 | ASBAXETRU | true | |
46.183.165.45 | unknown | Russian Federation | 197695 | AS-REGRU | true | |
37.143.9.154 | unknown | Russian Federation | 203226 | IHCRUInternet-HostingLtdMoscowRussiaRU | true | |
185.179.190.31 | unknown | Russian Federation | 44094 | WEBHOST1-ASRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1446225 |
Start date and time: | 2024-05-23 01:12:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 17 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LockyRansom.exe |
Detection: | MAL |
Classification: | mal96.rans.evad.winEXE@1/0@0/4 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: LockyRansom.exe
Time | Type | Description |
---|---|---|
20:22:08 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASBAXETRU | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
WEBHOST1-ASRU | Get hash | malicious | AsyncRAT | Browse |
| |
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | NetSupport RAT | Browse |
| ||
Get hash | malicious | NetSupport RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
IHCRUInternet-HostingLtdMoscowRussiaRU | Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | DCRat | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DCRat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | CryptoWall | Browse |
| ||
Get hash | malicious | CryptoWall | Browse |
| ||
AS-REGRU | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
File type: | |
Entropy (8bit): | 7.785619133351701 |
TrID: |
|
File name: | LockyRansom.exe |
File size: | 614'400 bytes |
MD5: | 1720b1748ad7b8ac0bfc1c3636fead95 |
SHA1: | 97bae63417df5bde4a05cd44c6c523db50f6ab76 |
SHA256: | 3329641a171508fa6b1ad7674b31431093d46be190d1a51acd77e486f42d9c8e |
SHA512: | 36d1f098c9ef9a80b42ad058c2a86e5cee794d12f74e479a79059197b82c847d8f88b256f17e2276fc0a9e21cf9b3210c563017d03d9c4ff3638484190a16b76 |
SSDEEP: | 12288:aKVWGHUsNNXxgAQWE9J4TyP5SqWiboPZnVXDsm:/UANB/Q7wqWicLXD |
TLSH: | 1CD4D09C5380E270F4B405B3558C8FFDC9BAECA147461AAE13F253F1AA027837F5A956 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O1Q.....................x....................@..........................p............................................. |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40cab5 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x51314FC7 [Sat Mar 2 01:03:03 2013 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 87b1bf5d6ea7e7bea778583978f61b64 |
Instruction |
---|
push eax |
mov dword ptr [esp], ebp |
inc ecx |
mov ebp, esp |
sub esp, 30h |
cmp bp, FCFEh |
jc 00007FDC487B5859h |
lea edi, dword ptr [004141B5h] |
push dword ptr [edi] |
call 00007FDC487B7B11h |
push 004141A8h |
push 004141A8h |
call 00007FDC487BF8A1h |
push 004141A8h |
push 004141A8h |
call 00007FDC487BF892h |
mov eax, 0000000Fh |
push eax |
push 00414180h |
push 00414177h |
call 00007FDC487B98FAh |
test eax, eax |
jne 00007FDC487B9125h |
mov eax, 0000000Fh |
push eax |
push 00414180h |
push 00414177h |
call 00007FDC487B98DDh |
test eax, eax |
jne 00007FDC487B9108h |
lea edi, dword ptr [004045A3h] |
call 00007FDC487B603Eh |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
lea edx, dword ptr [004141B5h] |
push dword ptr [edx] |
call 00007FDC487B7A9Bh |
push 004141A8h |
push 004141A8h |
call 00007FDC487BF82Bh |
lea edi, dword ptr [004141B5h] |
push dword ptr [edi] |
call 00007FDC487B7A7Fh |
mov eax, 00000010h |
push eax |
push 00414198h |
push 0041418Fh |
call 00007FDC497BD628h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x96004 | 0xb4 | .dec |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd6000 | 0xd70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1200 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x957bc | 0x14c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xdb54 | 0xdc00 | 6bc820bd1ab6433528f62df7c9fd9e1b | False | 0.31221590909090907 | data | 4.910527615535297 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE |
.rdata | 0xf000 | 0x86908 | 0x86a00 | d26955b7f888466a914f3c11e80dafc1 | False | 0.9625261142061281 | data | 7.910838175775477 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.dec | 0x96000 | 0x40000 | 0x800 | cfc2407bbd549a4030bf935f1ea84f16 | False | 0.576171875 | Matlab v4 mat-file (little endian) \274W\011, numeric, rows 614584, columns 0 | 5.180594554872846 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xd6000 | 0xd70 | 0xe00 | a4235b9c316078526ec2006da1881b10 | False | 0.08900669642857142 | Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0, imaginary | 6.426023666341516 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
OPS | 0xd6170 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | 0.34375 | ||
IKQ | 0xd6370 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | English | United States | 0.34375 |
IKQ | 0xd6570 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | English | United States | 0.34375 |
IKQ | 0xd6770 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | English | United States | 0.34375 |
IKQ | 0xd6970 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | English | United States | 0.34375 |
IKQ | 0xd6b70 | 0x200 | Targa image data - RGBA (1027-1541) 3340 x 3854 x 16 +2312 +2816 - 1-bit alpha - right | English | United States | 0.34375 |
DLL | Import |
---|---|
clbcatq.dll | DowngradeAPL, SetSetupSave |
cfgmgr32.dll | CM_Add_Empty_Log_Conf, CMP_Report_LogOn, CM_Add_IDA, CM_Add_Range |
user32.dll | wsprintfA, LoadBitmapW, IsDialogMessageA, DispatchMessageW, PostMessageW, CharToOemA, LoadIconA, IsCharLowerW, DialogBoxParamA, MessageBoxA, GetClassLongA, DrawStateW, PeekMessageW, InsertMenuW |
cryptdll.dll | MD5Update, MD5Final |
kernel32.dll | GetCommandLineW, InterlockedIncrement, CreateNamedPipeA, GetEnvironmentVariableW, WaitForSingleObject, GetLocalTime, CreateThread, GetModuleFileNameW, FindClose, FindResourceExA, OpenProcess, GlobalAddAtomA, GetConsoleTitleA, SetPriorityClass, FindNextFileW, CreateFileMappingW, FindFirstFileW, FormatMessageA, CloseHandle, GetLogicalDriveStringsA, GetProcAddress, GetPrivateProfileStringA, CreateDirectoryA, CreateSemaphoreW, LoadLibraryA, SetEnvironmentVariableA, GetModuleHandleA |
shlwapi.dll | UrlGetPartW, PathCompactPathW, UrlCreateFromPathW, UrlCombineA, UrlEscapeW, UrlCompareW, UrlUnescapeW, PathIsRootW, UrlHashA, UrlIsNoHistoryW, UrlGetLocationA, PathCommonPrefixW, UrlIsW, PathCombineA |
rsaenh.dll | CPDecrypt, CPDeriveKey |
shell32.dll | Shell_NotifyIconA, DllCanUnloadNow, DragQueryFileA, DllGetVersion, SHBrowseForFolderW, SHGetFolderPathA, StrChrA, ExtractIconW, SHEmptyRecycleBinA, SHCreateDirectoryExA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
05/23/24-01:13:30.810315 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
05/23/24-01:13:53.178351 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:13:53.178351 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:13:53.178351 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:13:52.300122 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:13:52.300122 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:13:52.300122 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:14:14.647859 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
05/23/24-01:14:36.143686 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
05/23/24-01:14:58.402198 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:14:14.647859 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
05/23/24-01:14:57.599658 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:14:58.402198 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:14:36.143686 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
05/23/24-01:14:36.143686 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
05/23/24-01:14:58.402198 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
05/23/24-01:14:14.647859 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
05/23/24-01:14:57.599658 | TCP | 2023551 | ET TROJAN Locky CnC checkin Nov 21 | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:14:57.599658 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
05/23/24-01:13:30.810315 | TCP | 2023577 | ET TROJAN Locky CnC Checkin HTTP Pattern | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
05/23/24-01:13:30.810315 | TCP | 2023552 | ET TROJAN Locky CnC checkin Nov 21 M2 | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 23, 2024 01:13:30.803800106 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:30.809298038 CEST | 80 | 49704 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:13:30.809405088 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:30.810314894 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:30.810343981 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:30.865405083 CEST | 80 | 49704 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:13:30.915318012 CEST | 80 | 49704 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:13:52.199529886 CEST | 80 | 49704 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:13:52.199759007 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:52.200572968 CEST | 49704 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:13:52.202433109 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:52.253406048 CEST | 80 | 49704 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:13:52.299529076 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:52.299807072 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:52.300122023 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:52.300122976 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:52.353425026 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:52.399514914 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:53.120646000 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:53.120884895 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.121176958 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.121211052 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.122760057 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:13:53.126065016 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:53.126097918 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:53.126136065 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.126178980 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.173387051 CEST | 80 | 49705 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:13:53.173538923 CEST | 49705 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:13:53.178014040 CEST | 80 | 49706 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:13:53.178118944 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:13:53.178350925 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:13:53.178380013 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:13:53.225675106 CEST | 80 | 49706 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:13:53.271348953 CEST | 80 | 49706 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:14:14.586029053 CEST | 80 | 49706 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:14:14.586332083 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:14.586779118 CEST | 49706 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:14.589165926 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:14.596303940 CEST | 80 | 49706 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:14:14.647488117 CEST | 80 | 49708 | 46.183.165.45 | 192.168.2.7 |
May 23, 2024 01:14:14.647655964 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:14.647859097 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:14.647880077 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:14.701381922 CEST | 80 | 49708 | 46.183.165.45 | 192.168.2.7 |
May 23, 2024 01:14:14.747514963 CEST | 80 | 49708 | 46.183.165.45 | 192.168.2.7 |
May 23, 2024 01:14:36.086546898 CEST | 80 | 49708 | 46.183.165.45 | 192.168.2.7 |
May 23, 2024 01:14:36.086848021 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:36.087313890 CEST | 49708 | 80 | 192.168.2.7 | 46.183.165.45 |
May 23, 2024 01:14:36.094095945 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:36.097479105 CEST | 80 | 49708 | 46.183.165.45 | 192.168.2.7 |
May 23, 2024 01:14:36.143347979 CEST | 80 | 49709 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:14:36.143445969 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:36.143686056 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:36.143735886 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:36.193267107 CEST | 80 | 49709 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:14:36.239310980 CEST | 80 | 49709 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:14:57.544363976 CEST | 80 | 49709 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:14:57.544466972 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:57.544642925 CEST | 49709 | 80 | 192.168.2.7 | 185.179.190.31 |
May 23, 2024 01:14:57.546190977 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:57.554361105 CEST | 80 | 49709 | 185.179.190.31 | 192.168.2.7 |
May 23, 2024 01:14:57.599268913 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:57.599383116 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:57.599658012 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:57.599693060 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:57.649346113 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:57.696218014 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:58.379328012 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:58.379419088 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.379585981 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.379615068 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.380893946 CEST | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:58.386002064 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:58.386013031 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:58.386066914 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.386066914 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.394542933 CEST | 80 | 49710 | 37.143.9.154 | 192.168.2.7 |
May 23, 2024 01:14:58.394776106 CEST | 49710 | 80 | 192.168.2.7 | 37.143.9.154 |
May 23, 2024 01:14:58.401979923 CEST | 80 | 49711 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:14:58.402061939 CEST | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:58.402198076 CEST | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:58.402218103 CEST | 49711 | 80 | 192.168.2.7 | 46.17.44.153 |
May 23, 2024 01:14:58.463649035 CEST | 80 | 49711 | 46.17.44.153 | 192.168.2.7 |
May 23, 2024 01:14:58.512361050 CEST | 80 | 49711 | 46.17.44.153 | 192.168.2.7 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49704 | 185.179.190.31 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:13:30.810314894 CEST | 473 | OUT | |
May 23, 2024 01:13:30.810343981 CEST | 613 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49705 | 37.143.9.154 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:13:52.300122023 CEST | 469 | OUT | |
May 23, 2024 01:13:52.300122976 CEST | 613 | OUT | |
May 23, 2024 01:13:53.120646000 CEST | 1236 | IN | |
May 23, 2024 01:13:53.126065016 CEST | 1029 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.7 | 49706 | 46.17.44.153 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:13:53.178350925 CEST | 469 | OUT | |
May 23, 2024 01:13:53.178380013 CEST | 613 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.7 | 49708 | 46.183.165.45 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:14:14.647859097 CEST | 471 | OUT | |
May 23, 2024 01:14:14.647880077 CEST | 613 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.7 | 49709 | 185.179.190.31 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:14:36.143686056 CEST | 473 | OUT | |
May 23, 2024 01:14:36.143735886 CEST | 613 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.7 | 49710 | 37.143.9.154 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:14:57.599658012 CEST | 469 | OUT | |
May 23, 2024 01:14:57.599693060 CEST | 613 | OUT | |
May 23, 2024 01:14:58.379328012 CEST | 1236 | IN | |
May 23, 2024 01:14:58.386002064 CEST | 1029 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.7 | 49711 | 46.17.44.153 | 80 | 6924 | C:\Users\user\Desktop\LockyRansom.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
May 23, 2024 01:14:58.402198076 CEST | 469 | OUT | |
May 23, 2024 01:14:58.402218103 CEST | 613 | OUT |
Target ID: | 0 |
Start time: | 19:12:59 |
Start date: | 22/05/2024 |
Path: | C:\Users\user\Desktop\LockyRansom.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 614'400 bytes |
MD5 hash: | 1720B1748AD7B8AC0BFC1C3636FEAD95 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 1.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 16.9% |
Total number of Nodes: | 177 |
Total number of Limit Nodes: | 12 |
Graph
Function 005C007E Relevance: 7.6, APIs: 5, Instructions: 127memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005C01C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98librarymemoryloaderCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040347F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005C01F3 Relevance: 4.6, APIs: 3, Instructions: 54librarymemoryloaderCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B880 Relevance: 3.1, APIs: 2, Instructions: 79COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004221DB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00419717 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00690000 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005C05EF Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042E700 Relevance: 3.1, APIs: 2, Instructions: 146COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042D5D0 Relevance: 3.1, APIs: 2, Instructions: 108fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041973D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004197BD Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423053 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F08 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CC4E Relevance: 1.5, APIs: 1, Instructions: 3comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0069007E Relevance: .1, Instructions: 127COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022D0 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006903EE Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 005C03EE Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C58C Relevance: .0, Instructions: 10COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403D74 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B80 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 262COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403AFE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040819D Relevance: 7.6, APIs: 5, Instructions: 58memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004031F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|