ce5190286c8cc7400f51fd8c3bf9a55e862e061d434b025bc7a3cf744f5d2444

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:31

Target

2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
Size

44KB
MD5

549da7ee761464d744109f35485633dd
SHA1

79dcb8475749700ef84c1be502f9a36f4f76effd
SHA256

ce5190286c8cc7400f51fd8c3bf9a55e862e061d434b025bc7a3cf744f5d2444
SHA512

32730ea5921b2823c0ca5152901291085aa007b34db1c885efa6e54627c891691055f39159698f73b5a8e6b1a5c2e5d4a46ca035e2a2d6591300f62e6aa4aea0
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMphej6NTJ:bc/y2lkF0+BeVF

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rewok.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

rewok.exe

pid process

2724 rewok.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe

pid process

2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exerewok.exe

pid process

2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
2724 rewok.exe

pid	process
2724	rewok.exe

pid	process
2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe

pid	process
2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
2724	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe

description	pid	process	target process
PID 2424 wrote to memory of 2724	2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe	rewok.exe
PID 2424 wrote to memory of 2724	2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe	rewok.exe
PID 2424 wrote to memory of 2724	2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe	rewok.exe
PID 2424 wrote to memory of 2724	2424	2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe	rewok.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

\Users\Admin\AppData\Local\Temp\rewok.exe
Filesize
44KB

MD5
0de809fabe8f162cfc68e82abd35b6c4

SHA1
252765e50879ff2889a7a2d30be9f01c64fbbfa0

SHA256
d7f8110074151fb3d2f7c7ceb03ac8e54ea61df30bb67c021fa3192abce5ed07

SHA512
e7a35ba934004fa510dda6602c0b8b55c937d49be1ef47e3e72de199cd467b6ca9ce57ec6e2a02620b0cd0f66ce9bcdc284115305bfb16d3e62cbe10b7a4f7f6

Download Submit
memory/2424-0-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2424-1-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2424-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2724-16-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download