b9203a5542ca637c6a9330f3e3f3517e27516af73e62162fa98300483b8439a9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe
Size

41KB
MD5

9dfe21dabf53cda17ea9e77a2961bc06
SHA1

4b5ae7f8d4dde28c4ce9cd7faef43d8abd9d6eee
SHA256

b9203a5542ca637c6a9330f3e3f3517e27516af73e62162fa98300483b8439a9
SHA512

d096e8403dc9a1bb0fe8c76e39f737fa289efaabcea6c1698fe4ed05e1bb89d1479f1612cc45585dc1028f23c86759a7abddf2295547f43e09cd36f457875e8d
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMRq3R:bc/y2lkF0+Bj3R

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1612	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe
1612	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1612	2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe	28
PID 2328 wrote to memory of 1612	2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe	28
PID 2328 wrote to memory of 1612	2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe	28
PID 2328 wrote to memory of 1612	2328	2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_9dfe21dabf53cda17ea9e77a2961bc06_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
41KB

MD5
071f3bff860941cf4c3174be80aa9130

SHA1
cdef16f3f0558f566ce5046a8460123452c6a724

SHA256
b8c9298593d4b5de936745572cbd908ff03eb71913c1523c79d391919c586c38

SHA512
895881a7eed1d2ad558ad6ae38d7684bfc7872a7054b4519467f03da865fcfb8e0a752a99ac4debe612bd30e0d2cc3a6363fe3e8abc987ccd6ce9e3c3f10aba1

Download Submit
memory/1612-23-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2328-2-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/2328-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2328-0-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download