Overview

overview

10

Static

static

10

2024-05-04...er.exe

windows7-x64

9

2024-05-04...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2024, 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-04_d2185f65247467bf809e904b3a801a8b_cryptolocker.exe

  • Size

    38KB

  • MD5

    d2185f65247467bf809e904b3a801a8b

  • SHA1

    5725fa07d67ef96cc72c3cf4baaa7ff7a6e373d7

  • SHA256

    32b74167e18861bb27aa32f8d004340e14ab53ea1f00eb8a64378494716d7627

  • SHA512

    5f2db5e161d7361c7bfd2d078c44010cb0194ed36b7992d9c31883d07c6299290ffcad4d20aba0e9b9ba15874fd0c02b340b48ee4fd5fcd4ac2865932752ab6e

  • SSDEEP

    384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyHmYvV8o:btB9g/WItCSsAGjX7e9N0hunRvGIV8o

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-04_d2185f65247467bf809e904b3a801a8b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-04_d2185f65247467bf809e904b3a801a8b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:3996
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      Filesize

      38KB

      MD5

      4814d0381faea1289673aa1fe932baf4

      SHA1

      ce0b491671a31e08c60abef0d7a5b634178380ac

      SHA256

      66ed7f4da9f8f4a1ec22152564a8b36e89272382b07c4b6a43318ad2208cf793

      SHA512

      90a21f2e8cd97743322c38da9bd94d3ed6f20841060e8d03319b8a04f00fdc981798c25dda6cabc109b5ad15a78017ccdb76522380750aea2ec658615c127354

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gewosik.exe
      Filesize

      185B

      MD5

      58133e62cca1d5c521866ec0e27f0bb4

      SHA1

      2e74140755a248e1a3af3aac0dfba933601b0c4d

      SHA256

      282d6468ab9e9be40cf0276d2569ecacfdd43379165023807afa7643af81435e

      SHA512

      e280ac4c654cc16a41668e3a3c4dc093c8f8521392beeda5418b1954e30e5d29d86bfc922dc7d09b3ba9b3bf5bafea9c4facb3ab20ea17e48de8b4d09ba8950d

      Download Submit

    • memory/3996-20-0x00000000006F0000-0x00000000006F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4664-0-0x0000000000720000-0x0000000000726000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4664-1-0x0000000000720000-0x0000000000726000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4664-2-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download