Malware Analysis Report

2025-06-16 07:26

Sample ID 240602-feyrbsbe7t
Target 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker
SHA256 057a66d3ff9ba0c8ebeb0d5e72f5a5533a92ffec743302a2464e48c4c5b66d4e
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

057a66d3ff9ba0c8ebeb0d5e72f5a5533a92ffec743302a2464e48c4c5b66d4e

Threat Level: Known bad

The file 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:47

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:47

Reported

2024-06-02 04:50

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/2820-0-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2820-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2820-8-0x0000000000300000-0x0000000000306000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 07f117d9d0fc98289ea59ac0065219ef
SHA1 fc64ff823c7284aaf35e9c86e1764b12ba8ae19b
SHA256 567bae3e4a48fde04297939b3fe5b34c8c3ef1c47dba555bc33905ba0b20c9ff
SHA512 da93f5679a459b20e0bc262a1c27635f74228c7bd56774d7a05bf8619b41f5cc968f77073ac79b9c86095c18aab805d5e02187a580ac804bc29c28f4ded03d11

memory/2616-23-0x0000000000290000-0x0000000000296000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:47

Reported

2024-06-02 04:50

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3452-0-0x0000000002160000-0x0000000002166000-memory.dmp

memory/3452-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3452-8-0x0000000002160000-0x0000000002166000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 07f117d9d0fc98289ea59ac0065219ef
SHA1 fc64ff823c7284aaf35e9c86e1764b12ba8ae19b
SHA256 567bae3e4a48fde04297939b3fe5b34c8c3ef1c47dba555bc33905ba0b20c9ff
SHA512 da93f5679a459b20e0bc262a1c27635f74228c7bd56774d7a05bf8619b41f5cc968f77073ac79b9c86095c18aab805d5e02187a580ac804bc29c28f4ded03d11

memory/4636-25-0x00000000020E0000-0x00000000020E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 341f0d964572da44a1c9650341665037
SHA1 5003d7dc9b5d6dbbfb37403c8222ba83fa3d4b0f
SHA256 cb213ed9ca3a1892286c1fd6552b8ba339f4e62a2d72c9c9151c4848edee4ee3
SHA512 a374a3d0c18618c9550b7cf88ce4005f42af135e46c08d08c1be7b3f3012f1184fd82f126168f280da7ead6fbddd5bebdc55547bff3d7c6a440d6f9746479353