Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe
-
Size
38KB
-
MD5
e0933bf13282a97a569428a1a5fcd2c6
-
SHA1
d0d7fa3d8dcdb82316d32f2900caab4ab7856448
-
SHA256
eebe9b66ba690a9f61ce8939bf82ebf3c3f85d7f75f5c62452a9828cc8cc8693
-
SHA512
7a2028b80390d02eba678abeb95134d45e42b421d664c979ab1d97a6ff7e8379564051462e14e46e27cefea180f0d1d4000ea38df4ff86c462da4a5dcd39d76b
-
SSDEEP
768:b7o/2n1TCraU6GD1a4Xt9bRU6zA6o36mhX:bc/y2lLRU6zA6qx
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x00050000000232a4-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 2988 rewok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5048 wrote to memory of 2988 5048 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 85 PID 5048 wrote to memory of 2988 5048 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 85 PID 5048 wrote to memory of 2988 5048 2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e0933bf13282a97a569428a1a5fcd2c6_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\rewok.exe"C:\Users\Admin\AppData\Local\Temp\rewok.exe"2⤵
- Executes dropped EXE
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD59958cec69cea6abc71aab1585903be15
SHA1b85d602582c563684ed411e4a121aacc161f4b92
SHA256c1570f412c7aaac9343325ef34c9264fe9cc0a1993929a304a76ed3572856198
SHA5121e5382b6fab439c66eb77016326c83be399e4b45e00cdcee036064845a48da8f76bce9a752373e90e98d63d55c0dffafef5cb9ffb7600f5af5f307abb36a0dba