Malware Analysis Report

2025-01-18 12:58

Sample ID 240613-d852dswgqn
Target 2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker
SHA256 c80ba4a8406d750232bd85229560fbef49e268296fec07e3372874bced583c44
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c80ba4a8406d750232bd85229560fbef49e268296fec07e3372874bced583c44

Threat Level: Known bad

The file 2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker was found to be: Known bad.

Malicious Activity Summary


Detection of CryptoLocker Variants

Detection of CryptoLocker Variants

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:41

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:41

Reported

2024-06-13 03:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/2172-0-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/2172-8-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/2172-1-0x0000000000400000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 277161b1bc81a136d27dd038387fad9c
SHA1 25378456a9d44e1602365f472808eb5761a3054e
SHA256 fd873c9203add8f8143a9ee66e471f452281c1c02af9890871127a9448293414
SHA512 be191a236f22fbb03a7ca1a305e225b70372390599bc4ba84721dd70c86c11bb9312b7548eafc8a9529f1268c6ac59e0278687adc04bfa1809879fe1df9808dc

memory/3064-23-0x00000000002A0000-0x00000000002A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:41

Reported

2024-06-13 03:44

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe"

Signatures

Detection of CryptoLocker Variants

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_8b52fc63a91b2706ef173bec94a300dc_cryptolocker.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/3040-0-0x0000000000640000-0x0000000000646000-memory.dmp

memory/3040-1-0x0000000000640000-0x0000000000646000-memory.dmp

memory/3040-2-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 277161b1bc81a136d27dd038387fad9c
SHA1 25378456a9d44e1602365f472808eb5761a3054e
SHA256 fd873c9203add8f8143a9ee66e471f452281c1c02af9890871127a9448293414
SHA512 be191a236f22fbb03a7ca1a305e225b70372390599bc4ba84721dd70c86c11bb9312b7548eafc8a9529f1268c6ac59e0278687adc04bfa1809879fe1df9808dc

memory/4320-26-0x0000000002110000-0x0000000002116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 8984e38e8f2fc8faf177a7fa18c015ca
SHA1 451b7af27109fbf399b0a3495ee0816d09882bd8
SHA256 98bc65153cd3206c020705d87fd7ca8f0e3388f420ee41f285918369944d0238
SHA512 f8079c2cbed47efcda3d8828d06a1f85df6efb480c98419377bac0483ad755e46fe5a2e7dff7da9d9eb5d22e16f4bb1c2f65eaf475f55103750e8d946796f030