Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe
-
Size
44KB
-
MD5
549da7ee761464d744109f35485633dd
-
SHA1
79dcb8475749700ef84c1be502f9a36f4f76effd
-
SHA256
ce5190286c8cc7400f51fd8c3bf9a55e862e061d434b025bc7a3cf744f5d2444
-
SHA512
32730ea5921b2823c0ca5152901291085aa007b34db1c885efa6e54627c891691055f39159698f73b5a8e6b1a5c2e5d4a46ca035e2a2d6591300f62e6aa4aea0
-
SSDEEP
768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMphej6NTJ:bc/y2lkF0+BeVF
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\rewok.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
rewok.exepid process 2724 rewok.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exepid process 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exerewok.exepid process 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe 2724 rewok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exedescription pid process target process PID 2424 wrote to memory of 2724 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe rewok.exe PID 2424 wrote to memory of 2724 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe rewok.exe PID 2424 wrote to memory of 2724 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe rewok.exe PID 2424 wrote to memory of 2724 2424 2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe rewok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_549da7ee761464d744109f35485633dd_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\rewok.exeFilesize
44KB
MD50de809fabe8f162cfc68e82abd35b6c4
SHA1252765e50879ff2889a7a2d30be9f01c64fbbfa0
SHA256d7f8110074151fb3d2f7c7ceb03ac8e54ea61df30bb67c021fa3192abce5ed07
SHA512e7a35ba934004fa510dda6602c0b8b55c937d49be1ef47e3e72de199cd467b6ca9ce57ec6e2a02620b0cd0f66ce9bcdc284115305bfb16d3e62cbe10b7a4f7f6
-
memory/2424-0-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/2424-1-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/2424-2-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2724-16-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB