5b2986c639b3fb7a0cf2cb01d8a747c953aa664665a9be7997f9071672d8aede

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe
Size

55KB
MD5

58bf2d676c091ddda48478c685c517bf
SHA1

a453c2ff125b566fa125f94a399fa7df298b9122
SHA256

5b2986c639b3fb7a0cf2cb01d8a747c953aa664665a9be7997f9071672d8aede
SHA512

b9991ec1c964a3d1687733777db9c6e7a9664bce4c057958290a1f3684ff4ac305e0cbb585804011ae794425fcf68e94f7a98970065d0171ca2e369a9fb77760
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjl+P:bP9g/xtCS3Dxx0JP

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x00090000000122ee-11.dat	CryptoLocker_rule2
behavioral1/memory/2624-16-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
behavioral1/files/0x00090000000122ee-11.dat	UPX
behavioral1/memory/2624-16-0x0000000000400000-0x000000000040E000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2624	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x00090000000122ee-11.dat	upx
behavioral1/memory/2624-16-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe
2624	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2624	2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe	28
PID 2084 wrote to memory of 2624	2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe	28
PID 2084 wrote to memory of 2624	2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe	28
PID 2084 wrote to memory of 2624	2084	2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_58bf2d676c091ddda48478c685c517bf_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
56KB

MD5
86a8d06a0f93b85bf086cba3a265c77c

SHA1
92e9d80bc49d277d9d482575667d32664fe1c5f3

SHA256
7ec441f97b1746785b00108c4e2e8dadff4ad6324749e1b2db7a1a75997f052e

SHA512
5578ba14831aef3b3ea5223f5ba03b7df1b7c8b09a821860c00b8c35370b1d086bbf10a0ef4c04bd60b3383ab1785dadc0c52f1ec7d6ab8750cab39011a368a0

Download Submit
memory/2084-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2084-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2084-9-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2084-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2624-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2624-25-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download