Malware Analysis Report

2024-11-15 07:53

Sample ID 241110-tg63dazkaw
Target CryptoLocker.exe
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
Tags
cryptolocker discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

Threat Level: Known bad

The file CryptoLocker.exe was found to be: Known bad.

Malicious Activity Summary

cryptolocker discovery persistence ransomware

CryptoLocker

Cryptolocker family

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 16:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 16:02

Reported

2024-11-10 16:05

Platform

win7-20240729-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8

Network

Country Destination Domain Proto
US 184.164.136.134:80 tcp
US 8.8.8.8:53 jfobwuyenejuti.biz udp
US 8.8.8.8:53 wppqsalyenookh.ru udp
US 8.8.8.8:53 ruuescsmibjwpa.org udp
US 8.8.8.8:53 sqvyyhdyyyoixh.co.uk udp
US 8.8.8.8:53 tasvrlxgmwvfpf.info udp
US 8.8.8.8:53 uvtqxqisdubqoy.com udp
US 8.8.8.8:53 pfyawwtajpjypj.net udp
US 8.8.8.8:53 qbaudcemanokxj.biz udp
US 8.8.8.8:53 rkwrvgytnlvhwh.ru udp
US 8.8.8.8:53 sgxmcljgejbsvt.org udp
US 8.8.8.8:53 cvnitmdcbmgmai.co.uk udp
US 8.8.8.8:53 piitcuyqdjtcqe.info udp
US 8.8.8.8:53 dellpcpdedfyxj.com udp
US 8.8.8.8:53 qqgwxklrgasoxs.net udp
US 8.8.8.8:53 xmrcftselfpghd.biz udp
US 8.8.8.8:53 lymnncosncdvxg.ru udp
US 8.8.8.8:53 yupfbjffovosxl.org udp
US 8.8.8.8:53 mhkqjrbtqscixc.co.uk udp
US 8.8.8.8:53 govmexyejvocav.info udp
US 8.8.8.8:53 hmqlxgsnldevyc.com udp
US 8.8.8.8:53 hwtpanlfmmnoxi.net udp
US 8.8.8.8:53 iuootvfootdigf.biz udp
US 8.8.8.8:53 cfagpfogtoxvvw.ru udp
US 8.8.8.8:53 ddufjnipvvnpuk.org udp
US 8.8.8.8:53 dnxjlubhwfwimq.co.uk udp
US 8.8.8.8:53 elsifduqymmcuu.info udp
US 8.8.8.8:53 igcyfllrrdjitw.com udp
US 8.8.8.8:53 vswknqxmfthctm.net udp
US 8.8.8.8:53 klaqebxfsjnhbd.biz udp
US 8.8.8.8:53 xxucmgkagalbrc.ru udp
US 8.8.8.8:53 ewgsqsbtcvscbu.org udp
US 8.8.8.8:53 rjbeyxnopmqvbr.co.uk udp
US 8.8.8.8:53 gcekpinhdcwbbc.info udp
US 8.8.8.8:53 toyvxnacqsuuri.com udp
US 8.8.8.8:53 mykdpwhiamccww.net udp
US 8.8.8.8:53 nwfcjcrunnhrfw.biz udp
US 8.8.8.8:53 oeiuomtvbsgbeo.ru udp
US 8.8.8.8:53 pcdtireiotlqdb.org udp
US 8.8.8.8:53 ipowbewkkflvsb.co.uk udp
US 8.8.8.8:53 jnjvujhwxgqlbi.info udp
US 8.8.8.8:53 kumoatjxllpust.com udp
US 8.8.8.8:53 lshntytkymukrn.net udp
US 8.8.8.8:53 nmxsntwfqddiik.biz udp
US 8.8.8.8:53 bysevcstsaqxyg.ru udp
US 8.8.8.8:53 ouvvjdcswftlyy.org udp
US 8.8.8.8:53 chqhrlxhychbyi.co.uk udp
US 8.8.8.8:53 lwcorbogfijlip.info udp
US 8.8.8.8:53 yjwaajkuhfwbys.com udp
US 8.8.8.8:53 mfarnkttlkaogd.net udp
US 8.8.8.8:53 arudvspinhnegt.biz udp
US 8.8.8.8:53 rfgwxfshymlxie.ru udp
US 8.8.8.8:53 sdbvrnmqbtbrhk.org udp
US 8.8.8.8:53 sneatoxufocbye.co.uk udp
US 8.8.8.8:53 tlyynwrehvruhb.info udp
US 8.8.8.8:53 ppkscmkinrrbwd.com udp
US 8.8.8.8:53 qnfrvuerpyhuvq.net udp
US 8.8.8.8:53 qxivxvpvttieuc.biz udp
US 8.8.8.8:53 rvdurejfvbxxdg.ru udp
US 8.8.8.8:53 twmjysfxhrxsml.org udp
US 8.8.8.8:53 hjhuhxrsuivmmb.co.uk udp
US 8.8.8.8:53 vckbxckrlnkbmf.info udp
US 8.8.8.8:53 jofmghwmyeiude.com udp
US 8.8.8.8:53 rhqfdawyvwevmt.net udp
US 8.8.8.8:53 ftlqlfjtjncpmq.biz udp
US 8.8.8.8:53 tmowcjcsasqetg.ru udp
US 8.8.8.8:53 hyjikoonnjoxkm.org udp
US 8.8.8.8:53 xpunjebopbqmpr.co.uk udp
US 8.8.8.8:53 ynpmdjlbdcvcxr.info udp
US 8.8.8.8:53 ausfingitwdupw.com udp
US 8.8.8.8:53 bsnecsquhxikoj.net udp
US 8.8.8.8:53 vayjnlspegwpet.biz udp
US 8.8.8.8:53 wxtihqdcrhcfmb.ru udp
US 8.8.8.8:53 xfwbmuxjicjxlr.org udp
US 8.8.8.8:53 ydragaivvdonkl.co.uk udp
US 8.8.8.8:53 ldnbljgamfstvq.info udp
US 8.8.8.8:53 ynosbrcdinhamf.com udp
US 8.8.8.8:53 mhxagysbvoggtd.net udp
US 8.8.8.8:53 aryrvhoerwumti.biz udp
US 8.8.8.8:53 htruwejbjyiors.ru udp
US 8.8.8.8:53 uesmmmfefhwuia.org udp
US 8.8.8.8:53 ixctrtvcsivbim.co.uk udp
US 8.8.8.8:53 vidlhcrfoqkhik.info udp
US 8.8.8.8:53 tivrktychtianc.com udp
US 8.8.8.8:53 uewokcswdhqkme.net udp
US 8.8.8.8:53 umgqfjldqdvmld.biz udp
US 8.8.8.8:53 vihnfrfxmqewts.ru udp
US 8.8.8.8:53 pyalvocdenxuuk.org udp
US 8.8.8.8:53 qubivwvxabgftf.co.uk udp
US 8.8.8.8:53 qdkkqeoenwlhls.info udp
US 8.8.8.8:53 rylhqmiyjktrtb.com udp
US 8.8.8.8:53 afeajagceeenuk.net udp
US 8.8.8.8:53 npfryfsiqsdxus.biz udp
US 8.8.8.8:53 cgovjpsplaomcc.ru udp
US 8.8.8.8:53 pqpnyufvxonwsw.org udp
US 8.8.8.8:53 vvituujdbxtiqp.co.uk udp
US 8.8.8.8:53 jgjlkavjnmssqq.info udp
US 8.8.8.8:53 xwspukvqitehqi.com udp
US 8.8.8.8:53 lhthkpiwuidrhv.net udp
US 8.8.8.8:53 ikmqikypysexjj.biz udp
US 8.8.8.8:53 jgnnipjqlmcerf.ru udp
US 8.8.8.8:53 klwmialdgoowqp.org udp
US 8.8.8.8:53 lhxjifvesimdpu.co.uk udp
US 8.8.8.8:53 ebqktfcqvmtsqu.info udp
US 8.8.8.8:53 udp

Files

\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 16:02

Reported

2024-11-10 16:03

Platform

win10v2004-20241007-en

Max time kernel

46s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 184.164.136.134:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 xsujucmcfclsjka.ru udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 lfpwwkifltqyjpv.org udp
US 8.8.8.8:53 fynakphajiphoun.co.uk udp
US 8.8.8.8:53 gwibxxbuptavnpn.info udp
US 8.8.8.8:53 gdxdsftekceemyy.com udp
US 8.8.8.8:53 hbsegnnyqnosuhq.net udp
US 8.8.8.8:53 bhskwwwchpqjkyn.biz udp
US 8.8.8.8:53 cfnlkfqwnbbxjbj.ru udp
US 8.8.8.8:53 djxosudboupujtd.co.uk udp
US 8.8.8.8:53 cjuptxnjkheprw.com udp
US 8.8.8.8:53 dhtspghvhyufqr.net udp

Files

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444