Malware Analysis Report

2025-04-14 00:32

Sample ID 240601-w2ws9aah9w
Target 2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker
SHA256 35d9637bd9b44fcaedc53e7f72f1289741bd266e04c0c29b95aa389a05cfaa5f
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35d9637bd9b44fcaedc53e7f72f1289741bd266e04c0c29b95aa389a05cfaa5f

Threat Level: Known bad

The file 2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:25

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rewok.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\rewok.exe

"C:\Users\Admin\AppData\Local\Temp\rewok.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 spinistry.com udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp

Files

memory/2276-8-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2276-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2276-0-0x0000000000280000-0x0000000000286000-memory.dmp

\Users\Admin\AppData\Local\Temp\rewok.exe

MD5 0130fa94f4534cb6aba36f627d655c17
SHA1 3a5bedff9d2a34118bd4fe6b33ca3c6bc7be1f58
SHA256 6d4e0e7b1ca6d5c6c4ded617d32552680d44ea5b87917a530956a763615883b2
SHA512 07cac0e3aec5e95f00490a55ca0222e14f05c0ed47f300d213fead920918c8f40342eee547d2be6f0973f80c4c3b0351b844ea96539e6bea0b72ac3c5aaee91e

memory/2512-23-0x0000000000380000-0x0000000000386000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:25

Reported

2024-06-01 18:28

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rewok.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_420d54ff31a7ef2e05ff4e0b643173db_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\rewok.exe

"C:\Users\Admin\AppData\Local\Temp\rewok.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 spinistry.com udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp

Files

memory/2788-0-0x0000000002250000-0x0000000002256000-memory.dmp

memory/2788-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2788-8-0x0000000002250000-0x0000000002256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rewok.exe

MD5 0130fa94f4534cb6aba36f627d655c17
SHA1 3a5bedff9d2a34118bd4fe6b33ca3c6bc7be1f58
SHA256 6d4e0e7b1ca6d5c6c4ded617d32552680d44ea5b87917a530956a763615883b2
SHA512 07cac0e3aec5e95f00490a55ca0222e14f05c0ed47f300d213fead920918c8f40342eee547d2be6f0973f80c4c3b0351b844ea96539e6bea0b72ac3c5aaee91e

memory/4956-25-0x0000000002200000-0x0000000002206000-memory.dmp