86b3f5eb746325e3acc203d1e496259ff0b85d63ec94fec57e947e6fcfbd454d

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 19:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe
Size

31KB
MD5

4d0a4a4682ab8d368fa13a64f316776e
SHA1

d14882de5d86183bac986c0754064c37703606ab
SHA256

86b3f5eb746325e3acc203d1e496259ff0b85d63ec94fec57e947e6fcfbd454d
SHA512

8c06ef0c6e4b5ea03694076584e6f75478a144459b0ba8320fae84e13e1cc94ad02722bc9e001171cbd760db691ffaae2697122fa69a1e48a0071b9099483116
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt96Jg57:b7o/2n1TCraU6GD1a4Xt94u

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012243-13.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2852	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe
2852	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2852	2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	28
PID 2040 wrote to memory of 2852	2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	28
PID 2040 wrote to memory of 2852	2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	28
PID 2040 wrote to memory of 2852	2040	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2852

Network

DNS

spinistry.com

rewok.exe

Remote address:

8.8.8.8:53

Request

spinistry.com

IN A

Response

spinistry.com

IN A

64.98.135.121
DNS

spinistry.com

rewok.exe

Remote address:

8.8.8.8:53

Request

spinistry.com

IN A

64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

152 B
3
64.98.135.121:443

spinistry.com

rewok.exe

52 B
1

8.8.8.8:53

spinistry.com

dns

rewok.exe

118 B
75 B
2
1

DNS Request

spinistry.com

DNS Request

spinistry.com

DNS Response

64.98.135.121

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
c5d707c6dc5dd2fa8075e31181302c76

SHA1
b775bec975f989c16df0853977746de8051f3c92

SHA256
7caf2d1c1996f5733819807a6934953696f0049e2ffb3460ccff13d4f7cf77b3

SHA512
fea550f89e9a7cf642032030a16ab4330e8810acebe6bd6bf7d87d1ae514bc489e780b2c0b8ada18c3910e2603aa0255b93836acd57aee88368eaab0dd550eb3

Download Submit
memory/2040-0-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2040-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2040-2-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2852-16-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download