Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe
-
Size
42KB
-
MD5
d9a26b386a86c1656d1c4a73f07840d1
-
SHA1
af60219ff56e26d745dd00c1477f50b83ff14320
-
SHA256
d143de38138355352bfc402be7dcd162ed401a31dc6452791667cde020d92a27
-
SHA512
e262ad1e17c506abb0a70cf3e14b033144f40d561a8928192d3c26e0b449bb508d4b72fee0b98e36b45fe7dd73f06f3bb9a0ee597dd10e135bb75c59d79aa035
-
SSDEEP
768:btB9g/WItCSsAGjX7r3BPOMHoc/QQJPCQ:btB9g/xtCSKfxLIc/X
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000d00000001225b-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2664 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe 2664 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2664 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe 27 PID 2600 wrote to memory of 2664 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe 27 PID 2600 wrote to memory of 2664 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe 27 PID 2600 wrote to memory of 2664 2600 2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-09_d9a26b386a86c1656d1c4a73f07840d1_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5a8ff3869f113b6a9cf760b382ce1f7f7
SHA19a4f0dc35f49d575d704e1840e61f51c3526bf78
SHA25629b71ba0174abc25d6f12770590de965d325d21e734c8ea220190787e46b9d3d
SHA512ad14370c645dcabfc66bd6238eb79e2499e4684c91f38b2b201ff78c5d291b64cd91bb95c1cc9ad55fcd7c287d04678ed9ec87496231a1e5b163a371d9eaa8f4