Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
-
Size
43KB
-
MD5
df60a358642e121721b3c7474720fff6
-
SHA1
0a77d5e946b7a035a4ee500ce4c14d4d163eff3c
-
SHA256
851768eb3ecf9ba194b8c0f16e051834f07a239d52c378b5835bb6b58826bef7
-
SHA512
8898554922f894cfa024d1a00fa1427fa8ca5a08c89a1a77f7c9186176b07c8d024fcc346580269ce129e20269ddeb070b5d0ce46647c192d196c3cce7e354cf
-
SSDEEP
768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRqmz4kmmbO:bc/y2lkF0+BjjIbO
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\rewok.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
rewok.exepid process 2732 rewok.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exepid process 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exerewok.exepid process 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe 2732 rewok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exedescription pid process target process PID 2228 wrote to memory of 2732 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe rewok.exe PID 2228 wrote to memory of 2732 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe rewok.exe PID 2228 wrote to memory of 2732 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe rewok.exe PID 2228 wrote to memory of 2732 2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe rewok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\rewok.exeFilesize
43KB
MD5a3995d75cfa3c3cc85b9364695fac4f9
SHA1bb01a2c4376cc7ac5dbb577e44074649c668a02b
SHA25670bafc464fd3cd4d8aeb4d81e569e49bf4efb3e74d6d545848f6de5a5be96438
SHA512bfacbd40ed063ca1118b8df30f11ddc353546b8fc83e2aa239c6af9628c43f313a84df8de7dbb35b1d6eb633b1a8c2200cea3de4295e472ec0a1582d878772ef
-
memory/2228-0-0x0000000000370000-0x0000000000376000-memory.dmpFilesize
24KB
-
memory/2228-1-0x0000000000370000-0x0000000000376000-memory.dmpFilesize
24KB
-
memory/2228-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2732-16-0x00000000003C0000-0x00000000003C6000-memory.dmpFilesize
24KB