Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
-
Size
38KB
-
MD5
83ab1b105c206fd5d37c54c58e90bd99
-
SHA1
c71bfd9fe0c429c947718d5b177a9dcbf520e943
-
SHA256
059945b0027aea84d1fcb80dae2f6605fe3bb44a089d06ecf1c2833b11f54661
-
SHA512
c08664ee3ec3631c737680b69d1d3ae830720c9462496d65f4d2c5349e29b1b656bc8d23cf26e02ec11b3de6c665eb636d92a9363bdcf97ee9ca2db201e3ab9b
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyHmYvV8o:btB9g/WItCSsAGjX7e9N0hunRvGIV8o
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\gewos.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
gewos.exepid process 2752 gewos.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exepid process 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exegewos.exepid process 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe 2752 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exedescription pid process target process PID 1752 wrote to memory of 2752 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe gewos.exe PID 1752 wrote to memory of 2752 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe gewos.exe PID 1752 wrote to memory of 2752 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe gewos.exe PID 1752 wrote to memory of 2752 1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe gewos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\gewos.exeFilesize
39KB
MD54a22638462294237bd7fac71595151e7
SHA16308c866c97e6a73bf625824717f7469e9f7b9ae
SHA25652af23aa5d8fbd17079e18df770b3577720609bd63c9f46699170769c1da5560
SHA512eb116c9760e4de92748915373108f1fece0ebd6313b3c4e7261d71f67dd2f30685d9087b46ef7f23152c2245c46e40efad66e6b326b4d0d4afe41bdb4aefff08
-
memory/1752-8-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/1752-1-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1752-0-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/2752-23-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB