Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 23:25
Behavioral task
behavioral1
Sample
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe
-
Size
55KB
-
MD5
6f631f859a50fe8b47429117b5c33a55
-
SHA1
2a0db8a4d7500e0634730d8e0fd4dd974569322c
-
SHA256
719d5088daf4d7653a10263470cd7680f3ac55664fff0884332f0382baef113e
-
SHA512
44e939658f3dbf48debea8b337c7fdac4a4b572096fc56da50007f247a53dc6574da7c779c915d21c7765b3d88ba570bb0bf7fb5a7f85849380c596176c05ae4
-
SSDEEP
768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjl+Sh:bP9g/xtCS3Dxx0JSh
Malware Config
Signatures
-
Detection of CryptoLocker Variants 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-0-0x0000000000400000-0x000000000040E000-memory.dmp CryptoLocker_rule2 \Users\Admin\AppData\Local\Temp\gewos.exe CryptoLocker_rule2 behavioral1/memory/1860-16-0x0000000000400000-0x000000000040E000-memory.dmp CryptoLocker_rule2 -
UPX dump on OEP (original entry point) 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-0-0x0000000000400000-0x000000000040E000-memory.dmp UPX \Users\Admin\AppData\Local\Temp\gewos.exe UPX behavioral1/memory/1860-16-0x0000000000400000-0x000000000040E000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
gewos.exepid process 1860 gewos.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exepid process 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe -
Processes:
resource yara_rule behavioral1/memory/1392-0-0x0000000000400000-0x000000000040E000-memory.dmp upx \Users\Admin\AppData\Local\Temp\gewos.exe upx behavioral1/memory/1860-16-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exegewos.exepid process 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe 1860 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exedescription pid process target process PID 1392 wrote to memory of 1860 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe gewos.exe PID 1392 wrote to memory of 1860 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe gewos.exe PID 1392 wrote to memory of 1860 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe gewos.exe PID 1392 wrote to memory of 1860 1392 2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe gewos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_6f631f859a50fe8b47429117b5c33a55_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\gewos.exeFilesize
56KB
MD5d4f7d9512d55d0ceedfee5db1cf4da6b
SHA129d56be8c483bb4592fb21f8e3ac1eed5318dc40
SHA2568221eef329b138892e661886b00e390bea7123a95d78a4f96ac4e2f3cd3bbc16
SHA512c6a2bdb85a6e540b8820c440e038f39da1a2b23dedaba42bb943f0b042d7b2bcba55d0f0c94c091fe33d2da4cf8d20f84504aac9ed42955d8d33a11eb28bf3bb
-
memory/1392-0-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1392-9-0x0000000000370000-0x0000000000376000-memory.dmpFilesize
24KB
-
memory/1392-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1392-1-0x0000000000370000-0x0000000000376000-memory.dmpFilesize
24KB
-
memory/1860-16-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1860-25-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB