b48514581431f3703bced0f177b56813e7e69a041f07ae420b0c9a75a58ddc6c

Analysis

max time kernel
19s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe
Size

35KB
MD5

c1380f186af90144d1f810beafda46d9
SHA1

1a2e277b355ac083c2166d3a625689801e832338
SHA256

b48514581431f3703bced0f177b56813e7e69a041f07ae420b0c9a75a58ddc6c
SHA512

21f716ade8c65e02093bda3ae231ba00f59123dac25f6c552e2776261b3c1177dc52b21094aaea23f3ac181759b7a239d20218bc589a108f8e9112eba5d4a445
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0J5AuNxL2:btB9g/WItCSsAGjX7e9NQt2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe
2372	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2372	2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe	17
PID 2664 wrote to memory of 2372	2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe	17
PID 2664 wrote to memory of 2372	2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe	17
PID 2664 wrote to memory of 2372	2664	2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe	17

C:\Users\Admin\AppData\Local\Temp\2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_c1380f186af90144d1f810beafda46d9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
35KB

MD5
03d4ecfe53de4b3ea2f3ce0c61552e47

SHA1
37c462c06657a1833240d5e368cbc291ff96747a

SHA256
8bcc7109e20382f860e8a8444ed26f89b720f576fdfbf422f500b3440ae4e0f2

SHA512
ab33bbe6cb18732c40117f12e34aafe66e56416a2f5cea931ac86b0684f89c22582cd79be80d18a62e4990cdb02ac35e25c0239495c4cf5cbc66979b8a8c7f61

Download Submit
memory/2372-17-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2664-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2664-8-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2664-0-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download