0faf5a6bc551d7ab260d049292803126d44c901691d1f0ee872ef3b36010bc20

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe
Size

40KB
MD5

b3392cdfdcf83847a7ad2f5e461190ec
SHA1

c9e5651f5eca6538bb5fdc6ee799f573c49090f3
SHA256

0faf5a6bc551d7ab260d049292803126d44c901691d1f0ee872ef3b36010bc20
SHA512

909b77b5378330f273b264cb5c907d0c25af213740aaf095a81e169df48f6a19b3058f9c2784a3500a02878ac0b4fca73680cc8a7eacc35e68732431b621e1e5
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunKzH15U/EyCH:btB9g/WItCSsAGjX7e9N0hunKLYNCH

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002328e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	gewos.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2188	5112	2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe	82
PID 5112 wrote to memory of 2188	5112	2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe	82
PID 5112 wrote to memory of 2188	5112	2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_b3392cdfdcf83847a7ad2f5e461190ec_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
40KB

MD5
a03bd13a38055a98a4725f349bb3f40e

SHA1
41b05b8c8486bff0456108bcd148ac7dc1599b8e

SHA256
4d7df4510d58bd44a65c00c2052fe62182efb370634758b43d8f73f737f2ff00

SHA512
70a92024e0f3fd32b7e60c920c9acc0213fc93be96ed40e83acf6134229b39d20e4dc75eafade343ee0227673901cc1a6a0855ed43067caa3cb5778aa0351bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewosik.exe

Filesize
185B

MD5
ee6036f2c6e935ec6dc6a65ed9b1826f

SHA1
bda6b447633e4a78908b1f09fe1ffaa0bd256626

SHA256
865d3358d2eba7dcecbe8d9e0ffebb636e8082305b70eaaf79bfb5f6a770fe62

SHA512
13b4200190a5befdc7570d2f0d45bafc81689b3a4ec5f9c40f37bdf0b9b3fb2e7f41bc0932cc505edc2d97fb2b6bc48594368976d867b564fe51f772035a4a09

Download Submit
memory/2188-25-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/5112-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/5112-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5112-8-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download