Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe
-
Size
44KB
-
MD5
d316dcea62cfb6d29a5afddaa8a4dfd7
-
SHA1
09515950e309c1faa4a4eb231681a411235902e0
-
SHA256
206c603e007a0dc46edb36bd18eee13396e73ad8cc8b4ce6f3416b5074dc9cf3
-
SHA512
d0432be0f4acfdfc5fdf32a8d80804177833a663bd446c058c4bf658ba694c9bdedebf6aeb5d8be105994c91aadf77ccd97e8233de5af5a6282b3146e32262a7
-
SSDEEP
768:btB9g/WItCSsAGjX7r3BPOMHoc/QQJP5q49:btB9g/xtCSKfxLIc/C49
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000c000000012308-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2264 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe 2264 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2264 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe 28 PID 1992 wrote to memory of 2264 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe 28 PID 1992 wrote to memory of 2264 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe 28 PID 1992 wrote to memory of 2264 1992 2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-23_d316dcea62cfb6d29a5afddaa8a4dfd7_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD52518cd71c07184343285998c54388944
SHA1ecb2dac28fba9532f0ae1d72d0ee04080f4ea8fa
SHA2569e79eee52c1e6f398cfb5a84c0464399854c6d578ea206d3f8012b8ef7cda26c
SHA51228387a12c3f0db1ee701e1034e82f1e2d7ea83ba4619f04a0a972e367f70427f210954d9fdada86ac47242a004a0d5dff34ae15fa027c0bd2934ff59944b58cd