Overview

overview

10

Static

static

10

2024-01-28...er.exe

windows7-x64

9

2024-01-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    79s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe

  • Size

    58KB

  • MD5

    4fd641b34a9cefac25c637d942fdabbb

  • SHA1

    e841ed0f4f3a799d056c9ebdf3c7bb73ee326675

  • SHA256

    6043080749c24698cf20972fef7e48d43b51df1e822b548b730e2b0af6158b5c

  • SHA512

    55f17f1f0300b23f59bd07021abf42c9bc18a4ef96c36a1907361fadfaf899bbc8452af32797b27e86cc898fb3fece66568b9d76b2ac7d2a476a65e04f357b54

  • SSDEEP

    1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHc:btng54SMLr+/AO/kIhfoKMHdt

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_4fd641b34a9cefac25c637d942fdabbb_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gewos.exe
    Filesize

    59KB

    MD5

    9829dbea5d74c51c7c8fca8d68236841

    SHA1

    83b91474e64ac725524a23d77531a92e32a72261

    SHA256

    845a7e2b48555d304f3abd9e92d1201b3299a97176b2277f2d142d21b9b4392d

    SHA512

    7fe3fa845fe38d60f1960cf51c16d3e4cb3394f2a1baeb02a73e1d3991e736ce8cd44c28304d5c6448f47e17286988e852b0cb25f4ad4b2153b0e7bd6296b057

    Download Submit

  • memory/880-20-0x00000000006F0000-0x00000000006F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-0-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-1-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1388-2-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download