3ba83d67df325ff32b21e446fda713ba82d39369932f843883e8946a2c7970ac

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe
Size

63KB
MD5

f3cdf5e41951f438d17f0025950b6c36
SHA1

d7de3cdfb097407c4cb5340a3a2f8f54c2d913cd
SHA256

3ba83d67df325ff32b21e446fda713ba82d39369932f843883e8946a2c7970ac
SHA512

5d553b94c071fb723c97494f718ab2f9eaf3ba32bb9c191cb5ad29f7a732dc016ef2e693452e86743afb69080b9b5449cf2b09daaf83503ba398f9852b4a0d09
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHaxH:btng54SMLr+/AO/kIhfoKMHdPH

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012246-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2372	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe
2372	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2372	2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe	28
PID 2256 wrote to memory of 2372	2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe	28
PID 2256 wrote to memory of 2372	2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe	28
PID 2256 wrote to memory of 2372	2256	2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_f3cdf5e41951f438d17f0025950b6c36_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
63KB

MD5
44ee75f6d20404db776bcff1ee2ff30f

SHA1
3adb386cd4011ff3e4b29e56f25b954b4f08486d

SHA256
c4e0453435622e563eef00aa5019d5a6180fb0978fe5c45d170eb0db16f70fb8

SHA512
6e5678534d0f8c41936117d05fd1fae2025647ce2de9dbc234b934c2f9de01e4a7b106a22d3fb56d96f4cd9fcc880a36886ea8e09434baabe034fd7c8b14202a

Download Submit
memory/2256-0-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2256-1-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2256-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2372-22-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download