Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
-
Size
32KB
-
MD5
957473a6f39ed0436d3969b08bacc84b
-
SHA1
80e9715f6b2bcd635b06c8011acd2a3b281560a4
-
SHA256
eb2c9a0961480f91a65a4ef38e9ed07eca3e9acce5866848ae74a89e0d1e447b
-
SHA512
4bb6406f306a2077b98f5903463d445b9a52dcb4167841e14567c05a2a3807f2afb54fe7da22680d092634df725275f1203fcdba76352490e08a3cfbaed630e9
-
SSDEEP
384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt9/B1RwFta:b7o/2n1TCraU6GD1a4Xt9bRwS
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\rewok.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
rewok.exepid process 2408 rewok.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exepid process 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exerewok.exepid process 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe 2408 rewok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exedescription pid process target process PID 2340 wrote to memory of 2408 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe rewok.exe PID 2340 wrote to memory of 2408 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe rewok.exe PID 2340 wrote to memory of 2408 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe rewok.exe PID 2340 wrote to memory of 2408 2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe rewok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD54f095847d407df28a1513143ca12ac23
SHA1497e8d5bf4f863637d753514c44d9177a818d50b
SHA256f6cb40ada8cc563e908739ac4c07535acc480952f648ce5b9aa02431e39cc6e6
SHA512a1ad503807abc269a0d09908953361e6e83ca81ed1cce082e4e6bb0b90ebbf7b12386d571564e94db3fd3b3632353974259b130a5557c99ab452a7e549aa4252