a50725026e9e20060b9c2cf6c2c9ef6d6d15749ad92f16771b8ab22e225e5553

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe
Size

44KB
MD5

cf4cb883a6b0c8e2c99d2f3106d521b0
SHA1

1cb951c6378bb2c9e2a8b1a79314872b97a5bceb
SHA256

a50725026e9e20060b9c2cf6c2c9ef6d6d15749ad92f16771b8ab22e225e5553
SHA512

72bb14a243a66cfc011fe7ca81755747c1e9744b9da03050354864aec39d8f4cb628eedaae8ed36532a5a38e9587aa3d84ccdd46c112f1c72e3db5930bf92196
SSDEEP

768:btB9g/WItCSsAGjX7r3BPOMHoc/QQJPCa:btB9g/xtCSKfxLIc/p

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122bf-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2948	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe
2948	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2948	2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe	28
PID 2832 wrote to memory of 2948	2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe	28
PID 2832 wrote to memory of 2948	2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe	28
PID 2832 wrote to memory of 2948	2832	2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf4cb883a6b0c8e2c99d2f3106d521b0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
44KB

MD5
9976bc82419ee036a20f8a976ed26704

SHA1
a311b561237cd3d43a79ef0d4a0b5d9571994b46

SHA256
b5a7dd16dcf04bd136e9f0046a9c65ebf95c508bfcc6ae140ddb573a6a4949d2

SHA512
554b0c14e6e3f0839347999acc600acc08bfccdffb2e2ec9799d5a234214e67c7faac2bed45e405dc7e39731697005210182fa7bd4b5997f00d9b6aeb8e8265f

Download Submit
memory/2832-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2832-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2832-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2948-19-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download