1dd0438a6cc6a0c40b1db5ab20efb113dc6c2207200b00a70a193e7074003cf0

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe
Size

35KB
MD5

e400c45e20bd0ea114978ec16c4165a4
SHA1

c896b0c080f6dea2f621be2192239f8a29117892
SHA256

1dd0438a6cc6a0c40b1db5ab20efb113dc6c2207200b00a70a193e7074003cf0
SHA512

f4b9f6264478880ae6143e17eeeac129e5bcdb866f84d849c0e605b9cc5d2fd866297025cc95fa459d4f96162a9af980c80a3b438100c943d55fb86b98f5b73e
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiA0jgg18IYW:btB9g/WItCSsAGjX7e9NzW

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012266-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1960	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe
1960	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1960	2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe	28
PID 2092 wrote to memory of 1960	2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe	28
PID 2092 wrote to memory of 1960	2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe	28
PID 2092 wrote to memory of 1960	2092	2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_e400c45e20bd0ea114978ec16c4165a4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
35KB

MD5
6e570cee474d5a48eeb579db158a9da4

SHA1
6660dc0fdd71cc99b2eebdd8f38bb58e185a0274

SHA256
85c2ccc7211af2ad0510dbd877e86572dc8a3afc2307cb617deb1a41f9597bbe

SHA512
3ea122dc9429be9738159a88913109bedf1a71b5ba048888b269874c120939683794239107f8fc97bb135b01a3ae4592950ca02e79a95a77e54ef3ae7b9afeb0

Download Submit
memory/1960-23-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2092-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2092-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2092-5-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download