Malware Analysis Report

2025-08-10 21:24

Sample ID 240530-br2arsac79
Target 2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker
SHA256 37ab9cc8e126ffd2df15a59b724a425ea8039072a30f4cbe080b6796d33fb11a
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37ab9cc8e126ffd2df15a59b724a425ea8039072a30f4cbe080b6796d33fb11a

Threat Level: Known bad

The file 2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:23

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:23

Reported

2024-05-30 01:26

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\pissa.exe

"C:\Users\Admin\AppData\Local\Temp\pissa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 el-padrino.com udp
HK 154.215.77.110:443 el-padrino.com tcp

Files

memory/1280-0-0x0000000000470000-0x0000000000476000-memory.dmp

memory/1280-8-0x0000000000470000-0x0000000000476000-memory.dmp

memory/1280-1-0x0000000000480000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissa.exe

MD5 019dc551538f01e0badf3963e2e5d3bb
SHA1 ffebc3b0031709c584f53533609f6a1b0423c749
SHA256 c6276c86a4b4e810aa790df1c72a8344e44438724d4d215dc537b7a9c15d3d87
SHA512 1be0113b6302eccffa21df57af115359df69d393aeeaafceccd098e74994d8c427e5a166483891f6b23e2f00ac7a88c1f603d31706e25926fc077d31d4e81767

memory/3044-15-0x0000000000750000-0x0000000000756000-memory.dmp

memory/3044-22-0x0000000000740000-0x0000000000746000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 01:23

Reported

2024-05-30 01:26

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-30_045ed09204f686dbe7301052f0f479b8_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\pissa.exe

"C:\Users\Admin\AppData\Local\Temp\pissa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 el-padrino.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
HK 154.215.77.110:443 el-padrino.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 110.77.215.154.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4108-0-0x0000000002250000-0x0000000002256000-memory.dmp

memory/4108-1-0x0000000003150000-0x0000000003156000-memory.dmp

memory/4108-8-0x0000000002250000-0x0000000002256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissa.exe

MD5 019dc551538f01e0badf3963e2e5d3bb
SHA1 ffebc3b0031709c584f53533609f6a1b0423c749
SHA256 c6276c86a4b4e810aa790df1c72a8344e44438724d4d215dc537b7a9c15d3d87
SHA512 1be0113b6302eccffa21df57af115359df69d393aeeaafceccd098e74994d8c427e5a166483891f6b23e2f00ac7a88c1f603d31706e25926fc077d31d4e81767

memory/2400-17-0x0000000003010000-0x0000000003016000-memory.dmp

memory/2400-23-0x0000000002020000-0x0000000002026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissec.exe

MD5 11bed1c06d8f4680de5154405be20365
SHA1 9c3095f1aa0b02924c23592d1e86673bb0081ca1
SHA256 bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666
SHA512 050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8