851768eb3ecf9ba194b8c0f16e051834f07a239d52c378b5835bb6b58826bef7

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:52

Target

2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
Size

43KB
MD5

df60a358642e121721b3c7474720fff6
SHA1

0a77d5e946b7a035a4ee500ce4c14d4d163eff3c
SHA256

851768eb3ecf9ba194b8c0f16e051834f07a239d52c378b5835bb6b58826bef7
SHA512

8898554922f894cfa024d1a00fa1427fa8ca5a08c89a1a77f7c9186176b07c8d024fcc346580269ce129e20269ddeb070b5d0ce46647c192d196c3cce7e354cf
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRqmz4kmmbO:bc/y2lkF0+BjjIbO

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rewok.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

rewok.exe

pid process

2732 rewok.exe
Loads dropped DLL 1 IoCs

Processes:

2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe

pid process

2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exerewok.exe

pid process

2228 2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
2732 rewok.exe

pid	process
2732	rewok.exe

pid	process
2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe

pid	process
2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe
2732	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe

description	pid	process	target process
PID 2228 wrote to memory of 2732	2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe	rewok.exe
PID 2228 wrote to memory of 2732	2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe	rewok.exe
PID 2228 wrote to memory of 2732	2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe	rewok.exe
PID 2228 wrote to memory of 2732	2228	2024-01-25_df60a358642e121721b3c7474720fff6_cryptolocker.exe	rewok.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\rewok.exe
Filesize
43KB

MD5
a3995d75cfa3c3cc85b9364695fac4f9

SHA1
bb01a2c4376cc7ac5dbb577e44074649c668a02b

SHA256
70bafc464fd3cd4d8aeb4d81e569e49bf4efb3e74d6d545848f6de5a5be96438

SHA512
bfacbd40ed063ca1118b8df30f11ddc353546b8fc83e2aa239c6af9628c43f313a84df8de7dbb35b1d6eb633b1a8c2200cea3de4295e472ec0a1582d878772ef

Download Submit
memory/2228-0-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2228-1-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2228-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-16-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download