1510cb09eacc333f229082f64b25c75418dcc8dfe18054cbd40c32fb6fc11f63

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe
Size

43KB
MD5

3689f885277c76765c4e32085e96385b
SHA1

66b981de39a01c5a1698890a808630a499e59132
SHA256

1510cb09eacc333f229082f64b25c75418dcc8dfe18054cbd40c32fb6fc11f63
SHA512

99a7244afaf805f49e5e1b13f059bec6edfdd74ee6f968f3c3c8fcef9175d7996bdd8ada23b0c8b650557aab07523a551fa109c8a85bd729b22305b20b780695
SSDEEP

768:btB9g/WItCSsAGjX7r3BPOMHoc/QQJP5k9B:btB9g/xtCSKfxLIc/+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012287-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1432	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe
1432	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1432	2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe	28
PID 2060 wrote to memory of 1432	2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe	28
PID 2060 wrote to memory of 1432	2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe	28
PID 2060 wrote to memory of 1432	2060	2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_3689f885277c76765c4e32085e96385b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
43KB

MD5
77976e6465882886105984b6fac681c2

SHA1
a75641870bca68db09830fd8c3a581c20f003e68

SHA256
74abbfa1752af6cad2c9edf7f6986886dd46b4f38a32fbe5bb2613a05547f21e

SHA512
4a46e6d9f9bd0d0d86e11c4d2807684445658231232c7687c211f41762edbc6f171668e808bd12c88f3ca4ab6f6787be4e87c3252f664ad864b5f5b4cf815867

Download Submit
memory/1432-18-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2060-0-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2060-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2060-2-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download