Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe
-
Size
45KB
-
MD5
23e2286807afacdfdeee102e1e9d2439
-
SHA1
5d4fd3d578f5da246a438c717d540bb8f3789d94
-
SHA256
68d130c466aa6b4cc5c3adb2997c055076232302e43eac2d914a8e086f966e09
-
SHA512
05ce5dbb21a6bd966dcbecb620756affc0f23bc056c1cfd58d839a8a1d84765df208a104cbffb721a37678f28d33e8330fd45ae2554e58d02531a94ed12b0b12
-
SSDEEP
768:btB9g/WItCSsAGjX7e9N0hunrknljKr4Q:btB9g/xtCSKqf1rksr9
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001470b-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 3056 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe 3056 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2340 wrote to memory of 3056 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe 28 PID 2340 wrote to memory of 3056 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe 28 PID 2340 wrote to memory of 3056 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe 28 PID 2340 wrote to memory of 3056 2340 2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_23e2286807afacdfdeee102e1e9d2439_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD56ea976dcf261a4c90ab519df8282afc2
SHA162c006064fcbac9bde25f6f359f5730f235db3aa
SHA2562d0090cffb0a137d0a6491677e8e484e0c1cdb3681bc05259ea6cf30d3e6ecfd
SHA512d1a50624c9603a6720360291c83d30ab7d3ce2f7327e3c9e03a1f3536caee63991f6591f197cbf816bbffd6c894f322d6859755b218b6e7e4828af3da2425e61