eb2c9a0961480f91a65a4ef38e9ed07eca3e9acce5866848ae74a89e0d1e447b

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:44

Target

2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
Size

32KB
MD5

957473a6f39ed0436d3969b08bacc84b
SHA1

80e9715f6b2bcd635b06c8011acd2a3b281560a4
SHA256

eb2c9a0961480f91a65a4ef38e9ed07eca3e9acce5866848ae74a89e0d1e447b
SHA512

4bb6406f306a2077b98f5903463d445b9a52dcb4167841e14567c05a2a3807f2afb54fe7da22680d092634df725275f1203fcdba76352490e08a3cfbaed630e9
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt9/B1RwFta:b7o/2n1TCraU6GD1a4Xt9bRwS

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rewok.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

rewok.exe

pid process

2408 rewok.exe
Loads dropped DLL 1 IoCs

Processes:

2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe

pid process

2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exerewok.exe

pid process

2340 2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
2408 rewok.exe

pid	process
2408	rewok.exe

pid	process
2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe

pid	process
2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe
2408	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe

description	pid	process	target process
PID 2340 wrote to memory of 2408	2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe	rewok.exe
PID 2340 wrote to memory of 2408	2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe	rewok.exe
PID 2340 wrote to memory of 2408	2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe	rewok.exe
PID 2340 wrote to memory of 2408	2340	2024-02-12_957473a6f39ed0436d3969b08bacc84b_cryptolocker.exe	rewok.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
4f095847d407df28a1513143ca12ac23

SHA1
497e8d5bf4f863637d753514c44d9177a818d50b

SHA256
f6cb40ada8cc563e908739ac4c07535acc480952f648ce5b9aa02431e39cc6e6

SHA512
a1ad503807abc269a0d09908953361e6e83ca81ed1cce082e4e6bb0b90ebbf7b12386d571564e94db3fd3b3632353974259b130a5557c99ab452a7e549aa4252

Download Submit
memory/2340-0-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2340-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2340-8-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2408-16-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download