Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe
-
Size
37KB
-
MD5
e6332a919f6d13faa300c658360d47e2
-
SHA1
f6b32e06b64c129a9c696df7382de130bf5be0a7
-
SHA256
057a66d3ff9ba0c8ebeb0d5e72f5a5533a92ffec743302a2464e48c4c5b66d4e
-
SHA512
851c69a7ad9b2e304cc2ec85a02e5e846b51d1fedd396cd83314449410ef28139f003ee2ecd7e70339db1b2e72eb83aa374958447c41bac42528959137530111
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyP:btB9g/WItCSsAGjX7e9N0hunRvP
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001225d-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2616 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe 2616 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2616 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe 28 PID 2820 wrote to memory of 2616 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe 28 PID 2820 wrote to memory of 2616 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe 28 PID 2820 wrote to memory of 2616 2820 2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e6332a919f6d13faa300c658360d47e2_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD507f117d9d0fc98289ea59ac0065219ef
SHA1fc64ff823c7284aaf35e9c86e1764b12ba8ae19b
SHA256567bae3e4a48fde04297939b3fe5b34c8c3ef1c47dba555bc33905ba0b20c9ff
SHA512da93f5679a459b20e0bc262a1c27635f74228c7bd56774d7a05bf8619b41f5cc968f77073ac79b9c86095c18aab805d5e02187a580ac804bc29c28f4ded03d11