Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe
-
Size
36KB
-
MD5
4605fd0fbf5372fbdad8b5aacb641bf2
-
SHA1
dbe083fdc951dc3258ed177e45caab43904d7917
-
SHA256
294ce57d4debcf1e81b99ad8ebe3d4b943960efe535b08c2910dda751b704d9a
-
SHA512
53a21c5e27e0f4fdce9fa9dd3ad7453e23f933ee358df938a1e50b34e4761ac18009c535fb7fc794ebc77a8922138d69d2216d40c7e7f59a984dc1d674029f12
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qvoLUZ61VCV:btB9g/WItCSsAGjX7r3BTmUQ1V8
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gewos.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gewos.exe2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation gewos.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
gewos.exepid process 1636 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exedescription pid process target process PID 3008 wrote to memory of 1636 3008 2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe gewos.exe PID 3008 wrote to memory of 1636 3008 2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe gewos.exe PID 3008 wrote to memory of 1636 3008 2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe gewos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_4605fd0fbf5372fbdad8b5aacb641bf2_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gewos.exeFilesize
36KB
MD5b64d5f33b1a013c7ca5400ab1829357e
SHA1644b64f8a783c5677c3b2cd1af51941e1337fbd1
SHA25645e01330df8e08c0ce26fd789050aa434853961997f477efc99cbcd32ca7be0b
SHA512f24f672346f67bbd8e3eb3970ee5f3d04f4c91e5f8d68a272e350ce1cfc4e9677eb6ecb5c043090e573441cb7a27f4828c2c646a64c0a3b07d40c7547accf172
-
C:\Users\Admin\AppData\Local\Temp\gewosik.exeFilesize
185B
MD5d282a3b311547a834b9e746378f56132
SHA18610b0f2a0c71cfe461a902ef136e8c1a9aae6fb
SHA2564d2da39b0cca975066d475141a37076ab0043f7bd8a3484e2369e51a87a7de9b
SHA512da98e7a900721ef20d2770989e19555ed032b60c870d770888807cf1e24faf455aec476918165636976f4533e9548c5c1cb1560ddf223282556d1469a5bccc00
-
memory/1636-25-0x0000000002010000-0x0000000002016000-memory.dmpFilesize
24KB
-
memory/3008-0-0x0000000002230000-0x0000000002236000-memory.dmpFilesize
24KB
-
memory/3008-1-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3008-8-0x0000000002230000-0x0000000002236000-memory.dmpFilesize
24KB