aba3dca0ff3cf98a621334f7786b1789f17018bef88e5ded35113460bab064e6

Analysis

max time kernel
139s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
Size

35KB
MD5

b02a688a46e715d092c86ea8bbd0e3a9
SHA1

41848eb9d6311d86a035bdc5c43fc0aeaf6ab467
SHA256

aba3dca0ff3cf98a621334f7786b1789f17018bef88e5ded35113460bab064e6
SHA512

2d5244459bf51c3d1fce90475af5fef23f3f81b45612bcacd3909548f87c76ea697462b91c379e7b68e83ed4d5ac03d738b3fa28050b7631fe5be8d8ea18fba5
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0q8bg4+y:btB9g/WItCSsAGjX7r3BTAey

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001db72-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
3684	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3684	3412	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	96
PID 3412 wrote to memory of 3684	3412	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	96
PID 3412 wrote to memory of 3684	3412	2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_b02a688a46e715d092c86ea8bbd0e3a9_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3340 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
36KB

MD5
e99b5517bc86b900a759b601ce82b882

SHA1
1c414980a3c434d98581a18f9ac3b43db774af05

SHA256
3dca5d4667ad6a40a042de00b5b25a0a5ac98d9203fa40273ffb1630e4b3475c

SHA512
6f310640aee1e77db9ae0df737140b011f4c561acd6ceab9f4198361c354f143514ef8f1ce449a4858357ee6d0ce5427103c5507ee47ec3f1ddfafde954ffaf6

Download Submit
memory/3412-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3412-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3412-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3684-20-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download