a80c710e97a2c6dd29de9fc67c135603184b0fa05bb25d8688e351f9af6a4ed1

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe
Size

37KB
MD5

433f47014781008c127d2689d4e60d41
SHA1

bf5048acd08c144aecab826f56dc8247cf605e13
SHA256

a80c710e97a2c6dd29de9fc67c135603184b0fa05bb25d8688e351f9af6a4ed1
SHA512

0843e477cbef4abcddfd93c969cf09d814606ddcb76ac4296f2b39c9a4b522e726e6bf9611d89c0afd68766177b9bf4f49a501bf8d5ecc8b2b654e75ed5ce37e
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunrkw1:btB9g/WItCSsAGjX7e9N0hunrk+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012263-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2408	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe
2408	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2408	1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe	28
PID 1520 wrote to memory of 2408	1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe	28
PID 1520 wrote to memory of 2408	1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe	28
PID 1520 wrote to memory of 2408	1520	2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-19_433f47014781008c127d2689d4e60d41_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
37KB

MD5
2e9b402bb043c7ca980e8d4bf13a6d5a

SHA1
da3915b7de18c4113c968a925306d6f8a65a1373

SHA256
0da1c15c089723eddac2cfdc32c93577d2e2dd1a18dc15071d36cd13a056cb0e

SHA512
d98c1adb7e1cea5154207c8210085cf1be5e17727de40a9ae504f8eaa9a82237e35ca133f9746a87c76bbfc0ca0e040a1af81132df5b6103639a9db346ad4ba0

Download Submit
memory/1520-0-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1520-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1520-3-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download