216b03872a57868f8acb675cd64a5b0a4f1170876d37eceb985fd733df02512e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe
Size

34KB
MD5

ccfe67b5d7bd84455fb9c228edff4053
SHA1

a3989535684c6245d1baf2ae3ffa4e79899e5585
SHA256

216b03872a57868f8acb675cd64a5b0a4f1170876d37eceb985fd733df02512e
SHA512

67d2c748ceecf681a35f70b9b38b3064646361d8b4dc0f98d595823b4f9ab89fba878432a728e7b3a67f35a96e887ba465b7354f21ec37880952d43e7ad7ab15
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0J5AV:btB9g/WItCSsAGjX7e9NQM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2128	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe
2128	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2128	2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe	28
PID 2932 wrote to memory of 2128	2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe	28
PID 2932 wrote to memory of 2128	2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe	28
PID 2932 wrote to memory of 2128	2932	2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_ccfe67b5d7bd84455fb9c228edff4053_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
124fb4e9e15f6ca86c1e5dfb1fb46e35

SHA1
61d0edd86621f0fa82958d9a479c2379bfaef0d4

SHA256
b01f8a8e8a97a3c3c89c8631ac9621b6302ec5901d3ed15f0008818bef7a374f

SHA512
c4e2cc343c31cf190e766a6049fd2a2f35c756cfa18c82a187f9ae4919b76629260408b0bc8a6c0870a8c055a61bf06c9e2b211370278cdd0d9523cf60f5e56b

Download Submit
memory/2128-16-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2932-0-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2932-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2932-8-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download