Malware Analysis Report

2025-08-05 16:03

Sample ID 240606-1gp77ade39
Target 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker
SHA256 5ed087301ebae874ff5047576072f6e437b53d4d965bcf418e0c0f59d98a78e5
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ed087301ebae874ff5047576072f6e437b53d4d965bcf418e0c0f59d98a78e5

Threat Level: Known bad

The file 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 21:37

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 21:37

Reported

2024-06-06 21:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/2156-0-0x0000000000380000-0x0000000000386000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 1c31ccb88dfc9887ea4f5ae6ceee5431
SHA1 edc154feded570292ed4e2c41a524817a97bcc67
SHA256 8119e57048ca3bc5b226e628b4625949fcd404c0329269613c1c9c3d4586f7dd
SHA512 023084070d07c0e5c9fd626bca774254bef90913399d8f4e507682d93cc71aa9dc89efb79f128060c3389c6d70030befa1ca051367e96be95d2edfccfd4fad54

memory/2072-23-0x0000000000390000-0x0000000000396000-memory.dmp

memory/2156-8-0x0000000000380000-0x0000000000386000-memory.dmp

memory/2156-1-0x0000000000400000-0x0000000000406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 21:37

Reported

2024-06-06 21:40

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2032-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2032-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/2032-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 1c31ccb88dfc9887ea4f5ae6ceee5431
SHA1 edc154feded570292ed4e2c41a524817a97bcc67
SHA256 8119e57048ca3bc5b226e628b4625949fcd404c0329269613c1c9c3d4586f7dd
SHA512 023084070d07c0e5c9fd626bca774254bef90913399d8f4e507682d93cc71aa9dc89efb79f128060c3389c6d70030befa1ca051367e96be95d2edfccfd4fad54

memory/2816-25-0x0000000002020000-0x0000000002026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 96e563d0eedebd06e003b8004418d248
SHA1 82116228048d05603815cc6365cc8f3433e61615
SHA256 dbf4d13fb4e427e07fe129fbef73aa9c4ac9f4674391cb53cb4f0f947752386e
SHA512 3683e95fbc79c983b9a92ed158ee9a27d01eb356100aa82cf8d1c629daf0ce367d2f1c2757bfe7ac03d6a322eea0faeeec7b547d12a84a185580d567c00818d4