cddd5e5e9c96d9bc417dbaf6b5ccdc60039663beac75db6d7104be40647716fd

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe
Size

44KB
MD5

4b3dcf52ddc6386d8b94d576ec9d82b7
SHA1

ec5fda0c8bee3e5e8e38011e4b4780a1b651ff45
SHA256

cddd5e5e9c96d9bc417dbaf6b5ccdc60039663beac75db6d7104be40647716fd
SHA512

09d05d19730f14a5ec8bf0bc2c32e7eaabf6850c7cce5c7fb1c2213bcc693ca88f89c170fa39040c3afed70de7a6eddc6fc42a09363175e3e0511f2b46574532
SSDEEP

768:btB9g/WItCSsAGjX7r3BPOMHoc/QQJP5Q:btB9g/xtCSKfxLIc/Y

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122dd-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2176	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe
2176	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2176	2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe	28
PID 2104 wrote to memory of 2176	2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe	28
PID 2104 wrote to memory of 2176	2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe	28
PID 2104 wrote to memory of 2176	2104	2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_4b3dcf52ddc6386d8b94d576ec9d82b7_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
44KB

MD5
5b700ecdde48356c9351cd46fff387f4

SHA1
8985599eed412ce4bc88a172b39f1d9236b84106

SHA256
6ed59a22faaaf32f813d91abf822d4f2a4bcadca7d8f19502e7335dbedde4b94

SHA512
4c7b8f01e37fcdc812c6a27ba231dfd7ffb39b00d083fb5f7fc1b9c0deff1ee8a579c6f60ab8b2f2854ba94eb0c049f0b7ae354a7b5e0e2d77b9d2f0390efb8a

Download Submit
memory/2104-0-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2104-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2104-2-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2176-17-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download