Malware Analysis Report

2025-08-10 21:27

Sample ID 240525-ayawqagg24
Target 2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker
SHA256 14fd78050b05f4e997ae15b78a2fe6e3112d47b386bf7f603005b5b7e3bf15d1
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14fd78050b05f4e997ae15b78a2fe6e3112d47b386bf7f603005b5b7e3bf15d1

Threat Level: Known bad

The file 2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 00:36

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 00:36

Reported

2024-05-25 00:39

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3740-0-0x00000000021C0000-0x00000000021C6000-memory.dmp

memory/3740-2-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3740-8-0x00000000021C0000-0x00000000021C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 ddf126c327089a3ee587bc91641c0724
SHA1 6e7ab9b2806133024647a293ab3d071e28687d5c
SHA256 57324cfb6fe945313417f1d4af1bf1f7ca72d2538583e712864c11ccab199360
SHA512 27e1d4b00f0fb0fab36516800bab59334f2679aa2c7c79c6f90d2282821f79623183390b2190cfd25269a6bb7474c0429bc02a7507693f2a38f739993be36f9a

memory/4524-25-0x0000000000690000-0x0000000000696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 ec88b457000d8899b0a6ed26578f2c49
SHA1 8ec598e86916b10851b6d94d497117ab4eb057c3
SHA256 38195a8672e27443e3c738ae7170c6cdae3574512bc866a7dba028411e2c467d
SHA512 195c1fbe4bebbc1fabe50464f6515be8bfb7d17821439fb49c059aa538fd1bb9b43f36610592819446dd0a1466ab636e0437fc23e994a0df5d09bfc0252b991e

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 00:36

Reported

2024-05-25 00:39

Platform

win7-20240220-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5c038d66be8e4314413c745733883996_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/1120-0-0x0000000000290000-0x0000000000296000-memory.dmp

memory/1120-8-0x0000000000290000-0x0000000000296000-memory.dmp

memory/1120-1-0x0000000000400000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 ddf126c327089a3ee587bc91641c0724
SHA1 6e7ab9b2806133024647a293ab3d071e28687d5c
SHA256 57324cfb6fe945313417f1d4af1bf1f7ca72d2538583e712864c11ccab199360
SHA512 27e1d4b00f0fb0fab36516800bab59334f2679aa2c7c79c6f90d2282821f79623183390b2190cfd25269a6bb7474c0429bc02a7507693f2a38f739993be36f9a

memory/2976-16-0x0000000000350000-0x0000000000356000-memory.dmp