Malware Analysis Report

2025-08-11 06:08

Sample ID 240527-xeqt6adg5z
Target 2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker
SHA256 aaaa3b43426637ca9cdc30e5066061264170cc93f5923d462addc1179877b7f0
Tags
discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaaa3b43426637ca9cdc30e5066061264170cc93f5923d462addc1179877b7f0

Threat Level: Known bad

The file 2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker was found to be: Known bad.

Malicious Activity Summary

discovery

Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Creates a large amount of network flows

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:46

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:46

Reported

2024-05-27 18:48

Platform

win7-20240221-en

Max time kernel

15s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe N/A

Creates a large amount of network flows

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/1964-0-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/1964-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1964-8-0x00000000004F0000-0x00000000004F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\retln.exe

MD5 5a18fe9daecdbaf09b182090a767e194
SHA1 4127c8c71f21f4f6152154197ba90bbfa5e94d4d
SHA256 ed687604ab929336f77a256df9a14a15aa59299fe14a17f67c334ba12cd5521a
SHA512 620a138b7873df0a90e90f9633a12b7daabe34d9d112b8afa1b70328f9b7460fd60fc50032a607f8cb37ebc09791f6d3d8464e3e552877df34a60f37a4355f8d

memory/2984-23-0x0000000000380000-0x0000000000386000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:46

Reported

2024-05-27 18:48

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\retln.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_e86563b09645ddb7464fccb7d1fdd390_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\retln.exe

"C:\Users\Admin\AppData\Local\Temp\retln.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp
US 8.8.8.8:53 storage-cabinets.info udp

Files

memory/4656-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/4656-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4656-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\retln.exe

MD5 5a18fe9daecdbaf09b182090a767e194
SHA1 4127c8c71f21f4f6152154197ba90bbfa5e94d4d
SHA256 ed687604ab929336f77a256df9a14a15aa59299fe14a17f67c334ba12cd5521a
SHA512 620a138b7873df0a90e90f9633a12b7daabe34d9d112b8afa1b70328f9b7460fd60fc50032a607f8cb37ebc09791f6d3d8464e3e552877df34a60f37a4355f8d

memory/1204-25-0x0000000002160000-0x0000000002166000-memory.dmp