ae42a3c7fd291eda78f37e5694c4b406134a651346d60cae4adb85e3a67d6a09

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe
Size

56KB
MD5

6a4de02fcaa2bf845fb7ce2bd2f48eed
SHA1

42c8013ec6b9e65b041c0673a7640f7064dbb031
SHA256

ae42a3c7fd291eda78f37e5694c4b406134a651346d60cae4adb85e3a67d6a09
SHA512

49270ee48bb07bf39c064cff8c9db5d4f2d1a32eb9234d6a7ba930f0e429f1e238981753d3c9fbc75f7355cb4369e17fb827efc84b0f33eaaa7fa843ce3bf3fd
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjNJU:bP9g/xtCS3Dxx05

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c00000001227f-11.dat	CryptoLocker_rule2
behavioral1/memory/2416-14-0x00000000004F0000-0x00000000004FE000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3004-17-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
behavioral1/files/0x000c00000001227f-11.dat	UPX
behavioral1/memory/2416-14-0x00000000004F0000-0x00000000004FE000-memory.dmp	UPX
behavioral1/memory/3004-17-0x0000000000400000-0x000000000040E000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
3004	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-11.dat	upx
behavioral1/memory/2416-14-0x00000000004F0000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/3004-17-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe
3004	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3004	2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe	28
PID 2416 wrote to memory of 3004	2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe	28
PID 2416 wrote to memory of 3004	2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe	28
PID 2416 wrote to memory of 3004	2416	2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_6a4de02fcaa2bf845fb7ce2bd2f48eed_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
56KB

MD5
5a60d7d526a12ecfee4dbe9ecc7aa5b8

SHA1
6d3adb1c0df72271c8f3ecc13c989706b33484fb

SHA256
30f007956721940da0956842291df66bb575b98028823cf156cc2a1ad37b97f9

SHA512
358c7ff640c87c21b69ae2889b275246eb11ceb2ddc5a89899a6fb3ddb95c98bbc7a8fdf09b73b99b60af4fe0b6b37929dcaf06c34b6b010c62acf653cf781b4

Download Submit
memory/2416-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2416-1-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2416-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2416-9-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2416-14-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/3004-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3004-26-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download