Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LockyRansom.exe

"C:\Users\user\Desktop\LockyRansom.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6924
Target ID:	0
Parent PID:	4056
Name:	LockyRansom.exe
Path:	C:\Users\user\Desktop\LockyRansom.exe
Commandline:	"C:\Users\user\Desktop\LockyRansom.exe"
Size:	614400
MD5:	1720B1748AD7B8AC0BFC1C3636FEAD95
Time:	19:12:59
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	880640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

URLs

Name

Malicious

http://46.17.44.153/imageload.cgi

46.17.44.153

http://37.143.9.154/imageload.cgi

37.143.9.154

http://46.183.165.45/imageload.cgi

46.183.165.45

http://185.179.190.31/imageload.cgi

185.179.190.31

http://46.17.44.153/imageload.cgi0.31/imageload.cgi

unknown

http://37.143.9.154/imageload.cgiC

unknown

http://37.143.9.154/imageload.cgiy

unknown

http://46.17.44.1531oad.cgi%880

unknown

https://www.torproject.org/download/download-easy.html

unknown

http://46.17.44.153/imageload.cgiL

unknown

http://46.183.165.45/imageload.cgia-deddda976288

unknown

http://46.17.44.153/imageload.cgiV

unknown

http://37.143.9.154/imag=

unknown

http://46.17.44.153/imageload.cgiP

unknown

http://185.179.190.31/imageload.cgir

unknown

http://37.143.9.154/imageload.cgii

unknown

http://37.143.9.154/imageload.cgilh

unknown

http://46.17.44.153/imageload.cgiy3

unknown

http://46.17.44.153

unknown

http://185.179.190.31/imageload.cgin

unknown

http://37.143.9.154/imageload.cgid

unknown

http://46.17.44.153/

unknown

http://46.17.44.153/imageload.cgii

unknown

http://46.17.44.153/imageload.cgik

unknown

http://37.143.9.154/imageload.cgiP

unknown

http://46.183.165.45/

unknown

http://46.17.44.153/imageload.cgi0

unknown

There are 17 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

46.17.44.153

unknown

Russian Federation

Details

IP:	46.17.44.153
TargetID:	0
Current Path:	C:\Users\user\Desktop\LockyRansom.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	51659
ASN name:	ASBAXETRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

46.183.165.45

unknown

Russian Federation

Details

IP:	46.183.165.45
TargetID:	0
Current Path:	C:\Users\user\Desktop\LockyRansom.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	197695
ASN name:	AS-REGRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

37.143.9.154

unknown

Russian Federation

Details

IP:	37.143.9.154
TargetID:	0
Current Path:	C:\Users\user\Desktop\LockyRansom.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	203226
ASN name:	IHCRUInternet-HostingLtdMoscowRussiaRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking

185.179.190.31

unknown

Russian Federation

Details

IP:	185.179.190.31
TargetID:	0
Current Path:	C:\Users\user\Desktop\LockyRansom.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44094
ASN name:	WEBHOST1-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

73A000

heap

page read and write

5E1000

direct allocation

page read and write

400000

unkown

page readonly

730000

heap

page read and write

1F0000

heap

page read and write

2A3D000

stack

page read and write

19A000

stack

page read and write

401000

unkown

page execute read

6A0000

direct allocation

page read and write

5C0000

direct allocation

page execute and read and write

27BF000

stack

page read and write

635000

heap

page read and write

496000

unkown

page write copy

5D0000

direct allocation

page read and write

293E000

stack

page read and write

BC0000

heap

page read and write

A0F000

stack

page read and write

486000

unkown

page readonly

239E000

stack

page read and write

9B000

stack

page read and write

4D6000

unkown

page readonly

487000

unkown

page execute and write copy

400000

unkown

page readonly

5F0000

heap

page read and write

78C000

heap

page read and write

401000

unkown

page execute

496000

unkown

page write copy

478000

unkown

page readonly

47F000

unkown

page read and write

28FE000

stack

page read and write

235F000

stack

page read and write

27FE000

stack

page read and write

630000

heap

page read and write

78E000

heap

page read and write

5B0000

heap

page read and write

414000

unkown

page execute and write copy

9CE000

stack

page read and write

495000

unkown

page execute and read and write

483000

unkown

page readonly

231E000

stack

page read and write

23B0000

heap

page read and write

73E000

heap

page read and write

40F000

unkown

page execute and write copy

277E000

stack

page read and write

273F000

stack

page read and write

690000

heap

page execute and read and write

4D6000

unkown

page readonly

610000

heap

page read and write

There are 38 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LockyRansom.exe

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLockyRansom.exe

Processes

URLs

IPs

Memdumps

IOC Report
LockyRansom.exe