Malware Analysis Report

2025-06-16 07:25

Sample ID 240602-fetsdabe6y
Target 2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker
SHA256 340f99b70a640549c7d022ab222d7d4d1b49dfb4597ac26fa97aaa309a3a7038
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

340f99b70a640549c7d022ab222d7d4d1b49dfb4597ac26fa97aaa309a3a7038

Threat Level: Known bad

The file 2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:47

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:47

Reported

2024-06-02 04:50

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\pissa.exe

"C:\Users\Admin\AppData\Local\Temp\pissa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 el-padrino.com udp
HK 154.215.77.110:443 el-padrino.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 110.77.215.154.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/2896-0-0x0000000002350000-0x0000000002356000-memory.dmp

memory/2896-8-0x0000000002350000-0x0000000002356000-memory.dmp

memory/2896-1-0x00000000023C0000-0x00000000023C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissa.exe

MD5 f8527a505992a443719422618426cb3b
SHA1 087599375d4d3c4cbe135c48f83e6fc31228e5a2
SHA256 ffc9014cd2bbc2aa252ae46f65a1e820664fd2d64d0aa8185a414863354ad5e0
SHA512 0624eee51738b318f35104059068af81afc912bfe0af491013bdb6ba7464c1a0ff55e746cd16b10136fd7cd38607f0a9a0b6b1ff5d81bfb9581f391db7372636

memory/4956-17-0x0000000003010000-0x0000000003016000-memory.dmp

memory/4956-23-0x0000000002D60000-0x0000000002D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissec.exe

MD5 11bed1c06d8f4680de5154405be20365
SHA1 9c3095f1aa0b02924c23592d1e86673bb0081ca1
SHA256 bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666
SHA512 050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:47

Reported

2024-06-02 04:50

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\pissa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e43ba61d976c332eb7b89c61e81aaa0d_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\pissa.exe

"C:\Users\Admin\AppData\Local\Temp\pissa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 el-padrino.com udp
HK 154.215.77.110:443 el-padrino.com tcp

Files

memory/1872-0-0x0000000000380000-0x0000000000386000-memory.dmp

memory/1872-1-0x0000000000390000-0x0000000000396000-memory.dmp

memory/1872-8-0x0000000000380000-0x0000000000386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pissa.exe

MD5 f8527a505992a443719422618426cb3b
SHA1 087599375d4d3c4cbe135c48f83e6fc31228e5a2
SHA256 ffc9014cd2bbc2aa252ae46f65a1e820664fd2d64d0aa8185a414863354ad5e0
SHA512 0624eee51738b318f35104059068af81afc912bfe0af491013bdb6ba7464c1a0ff55e746cd16b10136fd7cd38607f0a9a0b6b1ff5d81bfb9581f391db7372636

memory/2880-15-0x00000000002B0000-0x00000000002B6000-memory.dmp

memory/2880-22-0x00000000002A0000-0x00000000002A6000-memory.dmp