059945b0027aea84d1fcb80dae2f6605fe3bb44a089d06ecf1c2833b11f54661

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:39

Target

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Size

38KB
MD5

83ab1b105c206fd5d37c54c58e90bd99
SHA1

c71bfd9fe0c429c947718d5b177a9dcbf520e943
SHA256

059945b0027aea84d1fcb80dae2f6605fe3bb44a089d06ecf1c2833b11f54661
SHA512

c08664ee3ec3631c737680b69d1d3ae830720c9462496d65f4d2c5349e29b1b656bc8d23cf26e02ec11b3de6c665eb636d92a9363bdcf97ee9ca2db201e3ab9b
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyHmYvV8o:btB9g/WItCSsAGjX7e9N0hunRvGIV8o

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

2752 gewos.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe

pid process

1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exegewos.exe

pid process

1752 2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
2752 gewos.exe

pid	process
2752	gewos.exe

pid	process
1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe

pid	process
1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe
2752	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe

description	pid	process	target process
PID 1752 wrote to memory of 2752	1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe
PID 1752 wrote to memory of 2752	1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe
PID 1752 wrote to memory of 2752	1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe
PID 1752 wrote to memory of 2752	1752	2024-05-22_83ab1b105c206fd5d37c54c58e90bd99_cryptolocker.exe	gewos.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

\Users\Admin\AppData\Local\Temp\gewos.exe
Filesize
39KB

MD5
4a22638462294237bd7fac71595151e7

SHA1
6308c866c97e6a73bf625824717f7469e9f7b9ae

SHA256
52af23aa5d8fbd17079e18df770b3577720609bd63c9f46699170769c1da5560

SHA512
eb116c9760e4de92748915373108f1fece0ebd6313b3c4e7261d71f67dd2f30685d9087b46ef7f23152c2245c46e40efad66e6b326b4d0d4afe41bdb4aefff08

Download Submit
memory/1752-8-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1752-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/2752-23-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download