Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/02/2024, 16:44 UTC

General

  • Target

    2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe

  • Size

    32KB

  • MD5

    464f6ba5d919a2a13be62d99c43cbcf3

  • SHA1

    b92e98b3ab85358f1545fc13b58e7e43b273fa36

  • SHA256

    3378a70f8f0d863e094cbd3389d400cf8903508bd2fd528d04b96ca1583f1082

  • SHA512

    61003056eff7d0b444b3ba5a89d90050fa5d3754656162017d74d95d106f173d940d4bb4ac3fa4df8e09e3139bc256b90c4c3e5e95af15bd6576d2b6d0d032d0

  • SSDEEP

    384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt9/B1RU3qbSFS:b7o/2n1TCraU6GD1a4Xt9bRU62FS

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-18_464f6ba5d919a2a13be62d99c43cbcf3_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\rewok.exe
      "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2400

Network

  • flag-us
    DNS
    spinistry.com
    rewok.exe
    Remote address:
    8.8.8.8:53
    Request
    spinistry.com
    IN A
    Response
    spinistry.com
    IN A
    64.98.135.121
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    152 B
    3
  • 64.98.135.121:443
    spinistry.com
    rewok.exe
    52 B
    1
  • 8.8.8.8:53
    spinistry.com
    dns
    rewok.exe
    59 B
    75 B
    1
    1

    DNS Request

    spinistry.com

    DNS Response

    64.98.135.121

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\rewok.exe

    Filesize

    33KB

    MD5

    6ccd6bd7df6c893f6781ffa73b2f0da0

    SHA1

    6557de7ef5b29da20467b298b9a70f0e5737f6e4

    SHA256

    18a51e0468580c605c9fd620376a94dd92d3b3a34eb4baa26a292f9191105bc9

    SHA512

    3d400c7adef87a1053f85b8f163335f713d52bb2513b5f32995c64d773acdc5322fefa0279448ac488a26fbd924b5fbb1488c9923cbfe3a91ebbffc6e13d0e1c

  • memory/2020-0-0x0000000000260000-0x0000000000266000-memory.dmp

    Filesize

    24KB

  • memory/2020-1-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/2020-4-0x0000000000260000-0x0000000000266000-memory.dmp

    Filesize

    24KB

  • memory/2400-17-0x0000000001CC0000-0x0000000001CC6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.