Malware Analysis Report

2025-01-18 14:44

Sample ID 240613-d7eg2swglp
Target 2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker
SHA256 1df9b4f11e6bbc316dce0399f0079e620bd6c23a269bc1b2e61aa5b70fb275e0
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1df9b4f11e6bbc316dce0399f0079e620bd6c23a269bc1b2e61aa5b70fb275e0

Threat Level: Known bad

The file 2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker was found to be: Known bad.

Malicious Activity Summary

upx

Detection of CryptoLocker Variants

UPX dump on OEP (original entry point)

Detection of CryptoLocker Variants

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:38

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:38

Reported

2024-06-13 03:41

Platform

win7-20240419-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp
US 8.8.8.8:53 nasap.net udp

Files

memory/2124-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2124-1-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/2124-2-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2124-9-0x00000000003F0000-0x00000000003F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 4149574ac6b7105642b9ab910f597fe9
SHA1 bf981560d503211b0c6fe947b2fe4a532f72a492
SHA256 d50826803946db3ba9e30b1d396b969bebad0f92fc132eb2cabb9e0c2f9010da
SHA512 648b8c141139e0516b139ced3879f997c20899aa2c163b62562e098bc6af87e548acf5b83ee3eccd362ee2bc2b852ce4d6432b330d9a23d66e6a8b8595749c30

memory/3044-16-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3044-25-0x0000000000290000-0x0000000000296000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:38

Reported

2024-06-13 03:41

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_7796225634074d84746f8a668eb0930b_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4420,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4808-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4808-1-0x00000000020E0000-0x00000000020E6000-memory.dmp

memory/4808-2-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4808-9-0x00000000020E0000-0x00000000020E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 4149574ac6b7105642b9ab910f597fe9
SHA1 bf981560d503211b0c6fe947b2fe4a532f72a492
SHA256 d50826803946db3ba9e30b1d396b969bebad0f92fc132eb2cabb9e0c2f9010da
SHA512 648b8c141139e0516b139ced3879f997c20899aa2c163b62562e098bc6af87e548acf5b83ee3eccd362ee2bc2b852ce4d6432b330d9a23d66e6a8b8595749c30

memory/1776-17-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1776-27-0x00000000006D0000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 dee9c981f17d739150aec7e30291bdfb
SHA1 aed0c8757d9e789f28b77296012788eab51fbbbc
SHA256 e7a5f16de5f21a54d8f44cd687d201e962641c455c62aa1f29b1843d339aa8f4
SHA512 48a5622273ccf29b12187954bed61f6c8110a706d33b55f811abdfbce965030f1e8396a7215a52c89394bf9b1eb7222407d7d3b3914120bfda8ec5e544b349a5