Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:50

General

  • Target

    2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe

  • Size

    36KB

  • MD5

    aa44caf6478289043774feece217573a

  • SHA1

    dd454faf4f6f8f5e4d374ac4213274ca38ddf8f8

  • SHA256

    1fce562d33b6ed2fd5e6afe4cf856bfcc21e679ba8d7344527a530a233697ae5

  • SHA512

    b6cdfd8114e26061f2bb56df0b6960c688c6a2fa210b06dd7178d05e3f4c55fca7afc610586d84b812018afdffd24b7cbd1caec51a8151e9f24969dd051b9c9f

  • SSDEEP

    384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qZ5at:btB9g/WItCSsAGjX7r3BTZ52

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-26_aa44caf6478289043774feece217573a_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4992
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5792

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\gewos.exe

            Filesize

            36KB

            MD5

            d046b310113223544a59c64b46e2721a

            SHA1

            30850ef625daacf9f55539f51f248cd31dc7a477

            SHA256

            24b1d02f70ecf999693bf5e2225bd642ff5bab6ac6c78931f1e1d50306c79f1b

            SHA512

            bb93247e5518e5e8b263cb5124eec3a1478c0393ecb818bd1d5bb3b3803a3e9ab235439758337e90e9f907b9bac566fe47062bc171993286596c0ed1d08e183d

          • C:\Users\Admin\AppData\Local\Temp\gewosik.exe

            Filesize

            185B

            MD5

            2f46acc858654b2fc3ed644895eeaa87

            SHA1

            4c4f0eb3f4a5298d4152881277932dfbe07beb09

            SHA256

            8a93b1618cf8a42deff24d2bd50bf8066ba7bac9c7de148d3cb6b86007b1e417

            SHA512

            7382af2d4bc46d519e62eb15283bf3de61a9051c2ea9f1f828323fe4d992669fe6aed8b89b82659092cbb1107eb7cbb00f75a9d52f911a9900f8e0058240c8e7

          • memory/2260-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

            Filesize

            24KB

          • memory/2260-1-0x00000000021D0000-0x00000000021D6000-memory.dmp

            Filesize

            24KB

          • memory/2260-2-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

          • memory/4992-25-0x0000000002200000-0x0000000002206000-memory.dmp

            Filesize

            24KB