159fc68d8dcd775b0d89d2af1cc94419b2a5d4fa2192b123a2edb6966f8dc6eb

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe
Size

37KB
MD5

585aab84e070512bdaa73be1abc4fb4b
SHA1

f3664516cf041ebf46b765b327a220f2c4689c96
SHA256

159fc68d8dcd775b0d89d2af1cc94419b2a5d4fa2192b123a2edb6966f8dc6eb
SHA512

4cfb18fae7ef68b5f584dcba97bcc860539a552f23b248376c55bde0fd3f0128b2a7383cecce3fdeb967db864b18388c0a43a5aff2f5d2ad152dedd1ee0236bf
SSDEEP

768:b7o/2n1TCraU6GD1a4Xt9bRU6zA6o36mi:bc/y2lLRU6zA6qi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012279-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2712	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe
2712	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2712	3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe	28
PID 3000 wrote to memory of 2712	3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe	28
PID 3000 wrote to memory of 2712	3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe	28
PID 3000 wrote to memory of 2712	3000	2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_585aab84e070512bdaa73be1abc4fb4b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
37KB

MD5
b1efdb373a6cca1489e9a4b1e0788eca

SHA1
7429974c568468b197a8cbe18c24dbcd084265bc

SHA256
d46872730e64e1c22429940a7a3830c4e1d0a9d898fa4feb5e25c5c20633cea2

SHA512
be320812378368151964f8d6b747443b80856f891a9d2dd5003cd21d89475250143846e36db1ac164a5052c99476cc58920168e8595dece086f17fa9aeaa53f1

Download Submit
memory/2712-23-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/3000-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3000-0-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/3000-8-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download