aba3dca0ff3cf98a621334f7786b1789f17018bef88e5ded35113460bab064e6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
Size

35KB
MD5

b02a688a46e715d092c86ea8bbd0e3a9
SHA1

41848eb9d6311d86a035bdc5c43fc0aeaf6ab467
SHA256

aba3dca0ff3cf98a621334f7786b1789f17018bef88e5ded35113460bab064e6
SHA512

2d5244459bf51c3d1fce90475af5fef23f3f81b45612bcacd3909548f87c76ea697462b91c379e7b68e83ed4d5ac03d738b3fa28050b7631fe5be8d8ea18fba5
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0q8bg4+y:btB9g/WItCSsAGjX7r3BTAey

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012265-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2724	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
2724	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2724	2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	28
PID 2232 wrote to memory of 2724	2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	28
PID 2232 wrote to memory of 2724	2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	28
PID 2232 wrote to memory of 2724	2232	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
36KB

MD5
e99b5517bc86b900a759b601ce82b882

SHA1
1c414980a3c434d98581a18f9ac3b43db774af05

SHA256
3dca5d4667ad6a40a042de00b5b25a0a5ac98d9203fa40273ffb1630e4b3475c

SHA512
6f310640aee1e77db9ae0df737140b011f4c561acd6ceab9f4198361c354f143514ef8f1ce449a4858357ee6d0ce5427103c5507ee47ec3f1ddfafde954ffaf6

Download Submit
memory/2232-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2232-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2232-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2724-19-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download