Malware Analysis Report

2024-10-19 08:26

Sample ID 240125-wa6t5schcm
Target 2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker
SHA256 6be70c12a7a0879e1fc176a0fbd425847989a291ab61dc1ddce0d731ec46e309
Tags
kinsing loader discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6be70c12a7a0879e1fc176a0fbd425847989a291ab61dc1ddce0d731ec46e309

Threat Level: Known bad

The file 2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker was found to be: Known bad.

Malicious Activity Summary

kinsing loader discovery

Kinsing

Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Creates a large amount of network flows

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:44

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:46

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"

Signatures

Kinsing

loader kinsing

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/432-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/432-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/432-2-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\retln.exe

MD5 1e03ae0437c4513a3b47918ab5776e0b
SHA1 0f1e86100d331039b61dc60d724a643b6897bc31
SHA256 9d1c947c419f5526bde951216608ef898e02492696146f5e2e33dd7ab26df1a5
SHA512 5c2856c89aec01e9e508e5a045eaf4f2cd3d335aa8c0aef530afdcca30d351b02fb15a4831321bf55ab853970f671ce607177a78e6143b5690a505a7da1cb511

memory/2068-20-0x0000000002D60000-0x0000000002D66000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:46

Platform

win7-20231215-en

Max time kernel

2s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe N/A

Creates a large amount of network flows

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_259f9b58e5f27071472b5909427585c5_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/1900-0-0x0000000000380000-0x0000000000386000-memory.dmp

memory/1900-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1900-7-0x0000000000380000-0x0000000000386000-memory.dmp

\Users\Admin\AppData\Local\Temp\retln.exe

MD5 1e03ae0437c4513a3b47918ab5776e0b
SHA1 0f1e86100d331039b61dc60d724a643b6897bc31
SHA256 9d1c947c419f5526bde951216608ef898e02492696146f5e2e33dd7ab26df1a5
SHA512 5c2856c89aec01e9e508e5a045eaf4f2cd3d335aa8c0aef530afdcca30d351b02fb15a4831321bf55ab853970f671ce607177a78e6143b5690a505a7da1cb511

memory/2732-17-0x0000000000310000-0x0000000000316000-memory.dmp