8d847ace4d99fd98e99f4078ca19583a2e083005c671694f5954b1dec3b02608

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:36

Target

2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe
Size

43KB
MD5

8c34f72af16a0df9c8957fe92fb9a6cd
SHA1

3892a805265a9195c1e03a20e7e0907337a0b8fa
SHA256

8d847ace4d99fd98e99f4078ca19583a2e083005c671694f5954b1dec3b02608
SHA512

ccaea228c34ec5e93b43a51c8fc48f21d420dba9bb1a59ea17f7918c744fb5c7290f736bf2ecf642c8264288189df9727e161870bdbfa7de1f91d69a933a6e2b
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMphqR:bc/y2lkF0+BeqR

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rewok.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

rewok.exe

pid process

2484 rewok.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe

pid process

2860 2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exerewok.exe

pid process

2860 2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe
2484 rewok.exe

pid	process
2484	rewok.exe

pid	process
2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe

pid	process
2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe
2484	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe

description	pid	process	target process
PID 2860 wrote to memory of 2484	2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe	rewok.exe
PID 2860 wrote to memory of 2484	2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe	rewok.exe
PID 2860 wrote to memory of 2484	2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe	rewok.exe
PID 2860 wrote to memory of 2484	2860	2024-04-27_8c34f72af16a0df9c8957fe92fb9a6cd_cryptolocker.exe	rewok.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\rewok.exe
Filesize
43KB

MD5
7f74b389b86f4a1f1b5d210eddb0ede5

SHA1
0364e44cf5daab81cb50b8545ffd14224da7ea2f

SHA256
15d4067b8a0892449d14efffba23d5c2cc186ec09a3aed406231143ac826bdde

SHA512
746d0ffe1e6d11888d710684fbf045725003cfc3f99346ee5bbcb8e203d04a0805566904e1c62f1f95782afe0179fa04fb2c92b72707cb0cf1ce904b0e821375

Download Submit
memory/2484-23-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2860-0-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2860-8-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2860-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download