Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe
-
Size
36KB
-
MD5
aa44caf6478289043774feece217573a
-
SHA1
dd454faf4f6f8f5e4d374ac4213274ca38ddf8f8
-
SHA256
1fce562d33b6ed2fd5e6afe4cf856bfcc21e679ba8d7344527a530a233697ae5
-
SHA512
b6cdfd8114e26061f2bb56df0b6960c688c6a2fa210b06dd7178d05e3f4c55fca7afc610586d84b812018afdffd24b7cbd1caec51a8151e9f24969dd051b9c9f
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qZ5at:btB9g/WItCSsAGjX7r3BTZ52
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023262-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation gewos.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4992 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4992 2260 2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe 91 PID 2260 wrote to memory of 4992 2260 2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe 91 PID 2260 wrote to memory of 4992 2260 2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5d046b310113223544a59c64b46e2721a
SHA130850ef625daacf9f55539f51f248cd31dc7a477
SHA25624b1d02f70ecf999693bf5e2225bd642ff5bab6ac6c78931f1e1d50306c79f1b
SHA512bb93247e5518e5e8b263cb5124eec3a1478c0393ecb818bd1d5bb3b3803a3e9ab235439758337e90e9f907b9bac566fe47062bc171993286596c0ed1d08e183d
-
Filesize
185B
MD52f46acc858654b2fc3ed644895eeaa87
SHA14c4f0eb3f4a5298d4152881277932dfbe07beb09
SHA2568a93b1618cf8a42deff24d2bd50bf8066ba7bac9c7de148d3cb6b86007b1e417
SHA5127382af2d4bc46d519e62eb15283bf3de61a9051c2ea9f1f828323fe4d992669fe6aed8b89b82659092cbb1107eb7cbb00f75a9d52f911a9900f8e0058240c8e7