4c61a518b2e23f6776e22f31ee516cafa2edaaee6c4eddb3c8433322240b0c97

Analysis

max time kernel
88s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe
Size

35KB
MD5

49ac93a9d4161bf5d3cde5534d9af962
SHA1

e902310128016bb4767d890db4fe3397919d1c8c
SHA256

4c61a518b2e23f6776e22f31ee516cafa2edaaee6c4eddb3c8433322240b0c97
SHA512

e4cc40e03bcd964458cacad42c56f4956a247ad40c64709091c07f383c2a52ee6f097f9c40e91d8b75a915920354df68509927e35fe66b93908d2508c2d22f7c
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunY:btB9g/WItCSsAGjX7e9N0hunY

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f2-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 1664	4280	2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe	83
PID 4280 wrote to memory of 1664	4280	2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe	83
PID 4280 wrote to memory of 1664	4280	2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_49ac93a9d4161bf5d3cde5534d9af962_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
35KB

MD5
77924636d92c0e991a6d3477ff5eb96c

SHA1
fd3e972a9853adc22d26eb0bdfe04f432298ca48

SHA256
6474f5090069690cdb2a3e925148c16f160a89245f56c9f992cb7bfc94a403ef

SHA512
61cde2c1f25589dfe3ac52c4e577d7b692167f9ab96e0a937d7ad3497a2ca71ea40bd8e06050707b91ecbc2b13c1be61528d3b73976acd1667eb89edb44135a0

Download Submit
memory/1664-19-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4280-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/4280-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/4280-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download