7b7d7f801f789300f909f73e0e1ed01dadefa25c5b17a1a78d124151c6f10a2e

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe
Size

41KB
MD5

c49d309ee24d5eac93316201d2716282
SHA1

6c6172509401cd74d8b53574818bdf1f76114ace
SHA256

7b7d7f801f789300f909f73e0e1ed01dadefa25c5b17a1a78d124151c6f10a2e
SHA512

ad63f23480f39a37b9a03fb39ceb5bd32a303ce51260552150670a6e960025bca02fa36b0e2b42bf5d6a06ccac3b2255c83b93a256f1089396563ebb16302ff9
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRq7:bc/y2lkF0+Bj7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012242-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1196	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe
1196	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1196	2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe	28
PID 2964 wrote to memory of 1196	2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe	28
PID 2964 wrote to memory of 1196	2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe	28
PID 2964 wrote to memory of 1196	2964	2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_c49d309ee24d5eac93316201d2716282_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
41KB

MD5
0b6739c6b1d0066c11280195410b8852

SHA1
6cdd22493236697209f5d803c2c568e6883432c1

SHA256
7ecbfee1e074345b4f6622c57dfe6f461ebf77fe2fcdd4c5a53e33bbfd79c29d

SHA512
a076b5f8db6987ab4416edca8740aa01038023df8b8a7c1bd3270d799b71b883d26cf0288ed1a78ed822172546a83de71f9b1a0b23ce1e108151e85af343baa5

Download Submit
memory/1196-18-0x0000000001BC0000-0x0000000001BC6000-memory.dmp

Filesize
24KB

Download
memory/2964-0-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2964-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2964-8-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download