bbb51461be1489d8cf52a5c5d36d85689ead376b7777b05850e0cb434e8d2c02

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe
Size

58KB
MD5

c497a3d36c2ec395c8f84307016be63a
SHA1

244648aeedb4488c53e083e00b97638b336ed77d
SHA256

bbb51461be1489d8cf52a5c5d36d85689ead376b7777b05850e0cb434e8d2c02
SHA512

5b2b623f33efd630dd479d9ab5d13e35a13d450e04603231a6f9dfda8e17bbc8a169244b40dd0c1f83981fab353f57b9bf44c5cde78f4bb68c7c6842a7df9818
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUH6X:btng54SMLr+/AO/kIhfoKMHdh

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122fc-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2036	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe
2036	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2036	1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe	28
PID 1708 wrote to memory of 2036	1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe	28
PID 1708 wrote to memory of 2036	1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe	28
PID 1708 wrote to memory of 2036	1708	2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_c497a3d36c2ec395c8f84307016be63a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
58KB

MD5
26d23156ecadccf399adaf46a0a1e86c

SHA1
bd6762624f5c04b2637cd5ce0c2e2b7866bd8b93

SHA256
e1d4fafea2acbd3fd27e1d5b787b8bcdce4e946f6f98584b24b44222b446650a

SHA512
c46480e98b6a2d8bfe633aec1a8f1c48f607d21aee362cf84322b1533cde74b8186397dc417a40c0d1569e48b9df929d5940ff22720e419ba304cb73019d11b0

Download Submit
memory/1708-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1708-1-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1708-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2036-23-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download