86b57c66413fcd4511b7f5bd623ef63dbf4f30d279ff5a429ea9b32159cf2cf1

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe
Size

41KB
MD5

0ec3dad4f5b5c08464aaf0011be63278
SHA1

0e1a57aeb01049c7817ae141242ff80d19742f23
SHA256

86b57c66413fcd4511b7f5bd623ef63dbf4f30d279ff5a429ea9b32159cf2cf1
SHA512

165000336c03e7451280e9c159ce42f6d2bb3ac9e1efd1953dc6522ca00f216a5a5547aae6674f7fae515fa2bb89d4348a80e79f16296cbeb0456147edfa4bee
SSDEEP

768:b7o/2n1TCraU6GD1a4Xcn62TUdcuQlqJ51mwoE:bc/y2lm6Y0AqJ51mwoE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe
2372	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2372	1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe	28
PID 1948 wrote to memory of 2372	1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe	28
PID 1948 wrote to memory of 2372	1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe	28
PID 1948 wrote to memory of 2372	1948	2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_0ec3dad4f5b5c08464aaf0011be63278_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
41KB

MD5
0f94925f44aeef721411a83dd210737d

SHA1
424db25ed3c70722d82ea578f96d208b25c7330c

SHA256
49b6ef643e1abd430068f85d6e257b821ad3cd5de03b53db1691375166dca9a6

SHA512
46638afbcdab9ae28532a33c44a284a45c98c204cf17a9f7a504b1c0cdf737d24e8f4c1a8c1dcc2f1f3c830e3c5b58c7a24a5cc6b79b21739efba0d0d97dd599

Download Submit
memory/1948-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1948-1-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1948-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2372-18-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download