Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
-
Size
38KB
-
MD5
e0933bf13282a97a569428a1a5fcd2c6
-
SHA1
d0d7fa3d8dcdb82316d32f2900caab4ab7856448
-
SHA256
eebe9b66ba690a9f61ce8939bf82ebf3c3f85d7f75f5c62452a9828cc8cc8693
-
SHA512
7a2028b80390d02eba678abeb95134d45e42b421d664c979ab1d97a6ff7e8379564051462e14e46e27cefea180f0d1d4000ea38df4ff86c462da4a5dcd39d76b
-
SSDEEP
768:b7o/2n1TCraU6GD1a4Xt9bRU6zA6o36mhX:bc/y2lLRU6zA6qx
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000c000000013a7c-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2544 rewok.exe -
Loads dropped DLL 1 IoCs
pid Process 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 2544 rewok.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2544 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 28 PID 2044 wrote to memory of 2544 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 28 PID 2044 wrote to memory of 2544 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 28 PID 2044 wrote to memory of 2544 2044 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2544
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD59958cec69cea6abc71aab1585903be15
SHA1b85d602582c563684ed411e4a121aacc161f4b92
SHA256c1570f412c7aaac9343325ef34c9264fe9cc0a1993929a304a76ed3572856198
SHA5121e5382b6fab439c66eb77016326c83be399e4b45e00cdcee036064845a48da8f76bce9a752373e90e98d63d55c0dffafef5cb9ffb7600f5af5f307abb36a0dba