Malware Analysis Report

2025-01-18 14:44

Sample ID 240613-d6k87swgjn
Target 2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker
SHA256 b105116ea0a9e80eae074b7337f2c23cfbdb8c2a898d0c426f5744f73c471d55
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b105116ea0a9e80eae074b7337f2c23cfbdb8c2a898d0c426f5744f73c471d55

Threat Level: Known bad

The file 2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:37

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:37

Reported

2024-06-13 03:39

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\demka.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\demka.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\demka.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\demka.exe

"C:\Users\Admin\AppData\Local\Temp\demka.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ttms.org udp
US 35.215.114.222:443 ttms.org tcp

Files

memory/1992-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1992-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/1992-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\demka.exe

MD5 8b3072034fea1aebfb42850b890180b3
SHA1 111afaf9c1c17466e6bdf6da8ec2a246efef424d
SHA256 b470bf66168e6c5f65003ba24790f483bb8eb473804f03fd8983c956c6f4bccb
SHA512 c1a812605042747fd85eabd01f59c2859e9b0cc3bad14ce288c950db791be509351c2b41d899fc052fd9a86401e46bdf21e7df50975299e531d7b0c67e5dd201

memory/2524-23-0x0000000000290000-0x0000000000296000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:37

Reported

2024-06-13 03:39

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\demka.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\demka.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7133857c0609a94ab0fef4dd6d7c0fc1_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\demka.exe

"C:\Users\Admin\AppData\Local\Temp\demka.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 ttms.org udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 35.215.114.222:443 ttms.org tcp
US 8.8.8.8:53 222.114.215.35.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1188-0-0x0000000002350000-0x0000000002356000-memory.dmp

memory/1188-1-0x0000000002350000-0x0000000002356000-memory.dmp

memory/1188-2-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\demka.exe

MD5 8b3072034fea1aebfb42850b890180b3
SHA1 111afaf9c1c17466e6bdf6da8ec2a246efef424d
SHA256 b470bf66168e6c5f65003ba24790f483bb8eb473804f03fd8983c956c6f4bccb
SHA512 c1a812605042747fd85eabd01f59c2859e9b0cc3bad14ce288c950db791be509351c2b41d899fc052fd9a86401e46bdf21e7df50975299e531d7b0c67e5dd201

memory/2320-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\medkem.exe

MD5 59cd7116f1b9d03cdcba7cee2ac60bd5
SHA1 4b4d0a01a953426a04f50b9061c7d29405964177
SHA256 0af8247a9188818c837e16aedce49f3d7f4fd7ddaa27127cb723f8e5ba7dbb3a
SHA512 692eeb8b2a15717da1a39de23960f2e007f7e22b4a6f3e68806bd8a8e34ff38fff6965f4a3b20f96edc557521941bc65e570c5a49bd1cfe1dd7cb7572d273e99