2aa0b5712950c4e31c9b991d869ccc427c994879f609e312dbc13804d37bf355

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:58

Target

2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe
Size

41KB
MD5

fc36e9e88367952970fb608509554bc7
SHA1

752133455ddd13ae15669f0ab54b6032e10612ff
SHA256

2aa0b5712950c4e31c9b991d869ccc427c994879f609e312dbc13804d37bf355
SHA512

4fe859476c35feef2eb3f36584ae99e8a3b6bf421cd47e39f8d538230ff11f1009737a0aa7be85bdfe94e207ec03cde1e42371b1c33ae37a500a588bedb1dbc4
SSDEEP

768:btB9g/WItCSsAGjX7r3BPOMHocM4vUUOmJ+7f:btB9g/xtCSKfxLIcMzUw7f

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

2264 gewos.exe
Loads dropped DLL 1 IoCs

Processes:

2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe

pid process

760 2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exegewos.exe

pid process

760 2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe
2264 gewos.exe

pid	process
2264	gewos.exe

pid	process
760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe

pid	process
760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe
2264	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe

description	pid	process	target process
PID 760 wrote to memory of 2264	760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe	gewos.exe
PID 760 wrote to memory of 2264	760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe	gewos.exe
PID 760 wrote to memory of 2264	760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe	gewos.exe
PID 760 wrote to memory of 2264	760	2024-02-12_fc36e9e88367952970fb608509554bc7_cryptolocker.exe	gewos.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
41KB

MD5
479768f8578fea82165ea29dbb6983bc

SHA1
88b02429a78ae9478f70caf48dc8b362a8492cbf

SHA256
7e866f8af4ba9ae30cb47f490dfe2d9ee345c58859a1bb80d26d39fcd1af2c0d

SHA512
504767438d0fbeb184ab2529c1b2c34e444ee45f0c483990602f7da4946c8132d89487618da3fda0c884997f4fd49dce429cefb2d885836efc23b155a82993a0

Download Submit
memory/760-0-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/760-2-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/760-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2264-18-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download