1d9db49beb314542567d799304b379293961edb41a4c0e42cf67aaedd37484df

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe
Size

62KB
MD5

93a6048a90257900a2ff42c01e756b8c
SHA1

61ecf7977d38f8cf4c11a2c47539fda076e905a1
SHA256

1d9db49beb314542567d799304b379293961edb41a4c0e42cf67aaedd37484df
SHA512

61ce8bbdcdae8e35fbb9ec1fa88b9cdab14cc8c6a3945849679cbe4d9bff89ded80b7db6ea522c82cb784e2434c6da5bbf3ee3ab38ac98bb1b21c03c4eff84d5
SSDEEP

1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHZn/:btng54SMLr+/AO/kIhfoKMHda/

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023424-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
692	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 692	2232	2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe	81
PID 2232 wrote to memory of 692	2232	2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe	81
PID 2232 wrote to memory of 692	2232	2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe	81

C:\Users\Admin\AppData\Local\Temp\2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_93a6048a90257900a2ff42c01e756b8c_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
62KB

MD5
786bbe351d508f74ea8de26230fd83a6

SHA1
b8357b7c61ac7f3dbfcf5dab3ef27d3ea96b185d

SHA256
f5c17dab7efdb1f54b53d2b5eb93e3acab4f7611e4726360be33c1b97b7ff5f5

SHA512
5d5324d75dfe7ba861c064853236c4542937f792a4b31ec07fad491f01de15ff6a1bb6a37dd71d63c3a1e97a217ea9189ffebd9e42d18aec44c7ab3759973cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
aa89af8479f0e618be30ed8bcd2c9b44

SHA1
070ac64fd6e9946a201cdf12ac1a6d6c5524a42c

SHA256
1b706e6b31c71d8e16ec999c119c0aa901baa03b110c82ff9f34d2984175964f

SHA512
7d59fe91a65284fdbc94de25abfcf93b7828e6f3c7a7988f4d90258c0186265796817b0805946ffdf12de3b18377b8142355a565070c26384ad217c46ebba4a9

Download Submit
memory/692-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/2232-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/2232-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2232-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download