5310f4fff75553762b60f5eb3ce723c4b6b1c79ef93f8da96013a7b6e7ee9b86

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 08:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe
Size

40KB
MD5

92ae507495a6168d099d0db4ef7c8652
SHA1

27a73866ffe67f09526a81c152a2627f565c5154
SHA256

5310f4fff75553762b60f5eb3ce723c4b6b1c79ef93f8da96013a7b6e7ee9b86
SHA512

d6b9ac9de5a9268d3c819203ecd4e7d6f88cdfbd5d67ac2f1ea646b0116ec2ab630fa34c2b22b4fc99c97f514f8f143ce8a76ff69c832c19a6f261a32b5afd5c
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunrkwIxZWQpT:btB9g/WItCSsAGjX7e9N0hunrknlT

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225c-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2356	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe
2356	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2356	2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe	28
PID 2532 wrote to memory of 2356	2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe	28
PID 2532 wrote to memory of 2356	2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe	28
PID 2532 wrote to memory of 2356	2532	2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_92ae507495a6168d099d0db4ef7c8652_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
40KB

MD5
8065dacbad6b6fb344ae2ca888458e09

SHA1
1783c756fa82d0ac35c14827fa418952aa500ee1

SHA256
4ff6c15aae465c554eb1c8f4d527d98dc3ce5d6f634e585049de3741c95f6ccd

SHA512
24148dd6620693f9df78830ded823473824c646e3f67f5fea47980774f2dd6c4f6086220c4f09a248f289e902feb4b0317a0192ce793a1e7f70145f689df606e

Download Submit
memory/2356-23-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2532-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2532-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2532-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download