dd3e3d88e11ace4e1db0c57fa2e2db9e9e7975d5545d882b8bb4dab06a6f00f9

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:40

Target

2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe
Size

39KB
MD5

855d7123fb5d9f5122b0f336b4385a91
SHA1

c2d8c5802819f0e40b47d9ecbf5041ecf3c15acc
SHA256

dd3e3d88e11ace4e1db0c57fa2e2db9e9e7975d5545d882b8bb4dab06a6f00f9
SHA512

dfd68409bc5dd740f2277813c93536e84dfd4c1a6494292dbe110cede9fb772f17eda72a82d105eb208d935d53fa6c1ecc0fef1261ba8b335b16b6620e125320
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyHmYvV82:btB9g/WItCSsAGjX7e9N0hunRvGIV82

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gewos.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

gewos.exe

pid process

3040 gewos.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe

pid process

2420 2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exegewos.exe

pid process

2420 2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe
3040 gewos.exe

pid	process
3040	gewos.exe

pid	process
2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe

pid	process
2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe
3040	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe

description	pid	process	target process
PID 2420 wrote to memory of 3040	2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe	gewos.exe
PID 2420 wrote to memory of 3040	2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe	gewos.exe
PID 2420 wrote to memory of 3040	2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe	gewos.exe
PID 2420 wrote to memory of 3040	2420	2024-05-22_855d7123fb5d9f5122b0f336b4385a91_cryptolocker.exe	gewos.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

\Users\Admin\AppData\Local\Temp\gewos.exe
Filesize
39KB

MD5
74cb50eaf7e7c4d6159f8f572dcc3b2a

SHA1
471296a20f616e959f8b3d8829f12785a2c45621

SHA256
39829cdd21407927cd69c9a82e56aa1eac669583f37e80bb3b4d32de3c3fb8be

SHA512
acaad96dc7062050b8bdfc38d0709c62a06a75e2a2564cbe8b0fffac2f10ed6b23ce6ce056a0a6ffea3f5b580b1687e1aef51eaee97b2ead0d2aaf04c7c78f2a

Download Submit
memory/2420-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2420-0-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2420-8-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3040-23-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download