c8eefc92d1c94c7a0ef25a3c26be09b1534e57c453ce8f9901ab4db6419f373e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 16:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe
Size

60KB
MD5

88c43b9915fc1a7b2f67fc8aa9b014dc
SHA1

8a54db969a2f4f5971aa4e791d10a177c5b73cf2
SHA256

c8eefc92d1c94c7a0ef25a3c26be09b1534e57c453ce8f9901ab4db6419f373e
SHA512

0b0315c359ebcfc378c1e37cda60db182b9702f536929e2e3916fb71e86559495dd121ac94698f100d37e1ae119061d3bccdeef2d4b86a878c7417520133c765
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZnK:btng54SMLr+/AO/kIhfoKMHdaK

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f1f-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
4720	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4720	3012	2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe	83
PID 3012 wrote to memory of 4720	3012	2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe	83
PID 3012 wrote to memory of 4720	3012	2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_88c43b9915fc1a7b2f67fc8aa9b014dc_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
61KB

MD5
79222ea0ca1903191e7e95ad4a30761b

SHA1
166f3cdbbb78a56b263794536268058ad7de52f9

SHA256
3f50dbeecc57cacdef096b2419e368e78a1d0f8b9ad00557b5a49d069b952a72

SHA512
12acde3795eb63dd481f6d935d6f332d1aef3948fea148079608457758258e967d6d78f4e3c1e19cb15417d2b533e5d4f9710b1ac81e23536070eb02b80a9ff7

Download Submit
memory/3012-0-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/3012-8-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/3012-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4720-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download