Analysis Overview
SHA256
37ab9cc8e126ffd2df15a59b724a425ea8039072a30f4cbe080b6796d33fb11a
Threat Level: Known bad
The file 2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker was found to be: Known bad.
Malicious Activity Summary
Detection of CryptoLocker Variants
Detection of CryptoLocker Variants
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 01:23
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 01:23
Reported
2024-05-30 01:26
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pissa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\pissa.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\pissa.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
| PID 1280 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
| PID 1280 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
| PID 1280 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\pissa.exe
"C:\Users\Admin\AppData\Local\Temp\pissa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | el-padrino.com | udp |
| HK | 154.215.77.110:443 | el-padrino.com | tcp |
Files
memory/1280-0-0x0000000000470000-0x0000000000476000-memory.dmp
memory/1280-8-0x0000000000470000-0x0000000000476000-memory.dmp
memory/1280-1-0x0000000000480000-0x0000000000486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pissa.exe
| MD5 | 019dc551538f01e0badf3963e2e5d3bb |
| SHA1 | ffebc3b0031709c584f53533609f6a1b0423c749 |
| SHA256 | c6276c86a4b4e810aa790df1c72a8344e44438724d4d215dc537b7a9c15d3d87 |
| SHA512 | 1be0113b6302eccffa21df57af115359df69d393aeeaafceccd098e74994d8c427e5a166483891f6b23e2f00ac7a88c1f603d31706e25926fc077d31d4e81767 |
memory/3044-15-0x0000000000750000-0x0000000000756000-memory.dmp
memory/3044-22-0x0000000000740000-0x0000000000746000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 01:23
Reported
2024-05-30 01:26
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
125s
Command Line
Signatures
Detection of CryptoLocker Variants
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pissa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pissa.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
| PID 4108 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
| PID 4108 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe | C:\Users\Admin\AppData\Local\Temp\pissa.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"
C:\Users\Admin\AppData\Local\Temp\pissa.exe
"C:\Users\Admin\AppData\Local\Temp\pissa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | el-padrino.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| HK | 154.215.77.110:443 | el-padrino.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.77.215.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4108-0-0x0000000002250000-0x0000000002256000-memory.dmp
memory/4108-1-0x0000000003150000-0x0000000003156000-memory.dmp
memory/4108-8-0x0000000002250000-0x0000000002256000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pissa.exe
| MD5 | 019dc551538f01e0badf3963e2e5d3bb |
| SHA1 | ffebc3b0031709c584f53533609f6a1b0423c749 |
| SHA256 | c6276c86a4b4e810aa790df1c72a8344e44438724d4d215dc537b7a9c15d3d87 |
| SHA512 | 1be0113b6302eccffa21df57af115359df69d393aeeaafceccd098e74994d8c427e5a166483891f6b23e2f00ac7a88c1f603d31706e25926fc077d31d4e81767 |
memory/2400-17-0x0000000003010000-0x0000000003016000-memory.dmp
memory/2400-23-0x0000000002020000-0x0000000002026000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pissec.exe
| MD5 | 11bed1c06d8f4680de5154405be20365 |
| SHA1 | 9c3095f1aa0b02924c23592d1e86673bb0081ca1 |
| SHA256 | bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666 |
| SHA512 | 050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8 |