Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe
-
Size
41KB
-
MD5
f37e4ed142aae67080ed8f58bb12e92f
-
SHA1
9c5a4c6d6e443da23685455d725146026f9e099c
-
SHA256
1667557ba87132c48f05cbc3a31c3beb18ea762f9a8c80af552814c81a6b8880
-
SHA512
422e31c6cb091d307b488767402d7b7a71f4166cb4506055ade10ad20dca305d25362711f9a7cfc45d807e9ac0dff0e59f12c7041bdcd7d5a170b6fa4f37c6fb
-
SSDEEP
768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRqbo33:bc/y2lkF0+BjUH
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rewok.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
rewok.exepid process 2304 rewok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exedescription pid process target process PID 2128 wrote to memory of 2304 2128 2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe rewok.exe PID 2128 wrote to memory of 2304 2128 2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe rewok.exe PID 2128 wrote to memory of 2304 2128 2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe rewok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_f37e4ed142aae67080ed8f58bb12e92f_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD59f5851994335e9735ff7b67aad230781
SHA18127c2a8befd8e05a1bc5318a48cc139d7a3479d
SHA2566255f3ff11558397685cdb6581ccb0de64bb8414d3a32c4bffe26cff16115a7b
SHA51250d16633f343d3a4c87a4ff90dd173dd9d7f92aa7e92ce0a6bd9ff22e290a5bb8cfd2bd09a18c221caa2044c004cafa592fc87e4eebb3369307d9450cf119061