Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-fbgcwach29
Target 2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker
SHA256 9c102dd85e165bf8b1053a0d89dd1d248177000a0859d96310f7e0d352273ed0
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c102dd85e165bf8b1053a0d89dd1d248177000a0859d96310f7e0d352273ed0

Threat Level: Known bad

The file 2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win7-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rewok.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\rewok.exe

"C:\Users\Admin\AppData\Local\Temp\rewok.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 spinistry.com udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp

Files

memory/2284-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/2284-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2284-8-0x00000000003E0000-0x00000000003E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\rewok.exe

MD5 4b8ce0d238df67b2d7577d36b7cd9e3c
SHA1 55326f2df686a80a84419eb7adc60b1b970048d9
SHA256 72d553f2be825f4b137d4814c5f2be01bd96c26a2edd770676c3ffe2170d3e00
SHA512 819a371be8fcee5931ee78552b712077bd0b4eb8de9b7d1cd388f03389e6102e5a1b95ad5ef7335a7a806fba15ea3b287ce11c79a9ea4bd5d3a1232f30f1b7de

memory/3068-23-0x0000000000380000-0x0000000000386000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:41

Reported

2024-06-10 04:44

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rewok.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_207c6dffaf7f501f67ebd97e299f510b_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\rewok.exe

"C:\Users\Admin\AppData\Local\Temp\rewok.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 spinistry.com udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp
US 64.98.135.121:443 spinistry.com tcp

Files

memory/4528-0-0x00000000005D0000-0x00000000005D6000-memory.dmp

memory/4528-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4528-8-0x00000000005D0000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rewok.exe

MD5 4b8ce0d238df67b2d7577d36b7cd9e3c
SHA1 55326f2df686a80a84419eb7adc60b1b970048d9
SHA256 72d553f2be825f4b137d4814c5f2be01bd96c26a2edd770676c3ffe2170d3e00
SHA512 819a371be8fcee5931ee78552b712077bd0b4eb8de9b7d1cd388f03389e6102e5a1b95ad5ef7335a7a806fba15ea3b287ce11c79a9ea4bd5d3a1232f30f1b7de

memory/2924-25-0x0000000002EA0000-0x0000000002EA6000-memory.dmp