Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe
-
Size
60KB
-
MD5
e13b6372f71b660d7c42a13ed113e62e
-
SHA1
0373e4e605a5a10ca4aee4a5f8faaf7da6fb6176
-
SHA256
be06af0e6c55fcad543e9ad18f72f46a8c55f35956446427a67207a33921889b
-
SHA512
365293b7fe68e4890e008509c29ba975865da9a38e1ce42ab518ce3cbe4098177f4219377ec816ce5f6c0762602aca678f1353fe0342c16d9cd74e7ecd6f4889
-
SSDEEP
1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHOE:btng54SMLr+/AO/kIhfoKMHdi
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000b00000001224c-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2612 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe 2612 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2612 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe 28 PID 3024 wrote to memory of 2612 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe 28 PID 3024 wrote to memory of 2612 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe 28 PID 3024 wrote to memory of 2612 3024 2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-29_e13b6372f71b660d7c42a13ed113e62e_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD532c666f2e59518c6304041ab5d7a7658
SHA1b2e8ae207b6c4e0dbef74400211d1d1c56a383b9
SHA256eb995282be5524ab6d718ab4f6f406b46b6bb88d25fc102365acd6f803eef73e
SHA512e8468f6f71b99a258244109d1ebe9c4176b1689e7212cb9f49b86a05a1424a25c616d4ba908bd82eb20c0d103053a989e21afd5c2b910d63594f04988501a2bf