Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
-
Size
37KB
-
MD5
d63a4bfd6c3f0fa7b34ee6ba32e3e4aa
-
SHA1
92d85fda465f57ebfbba312780a98752b2371c25
-
SHA256
5ed087301ebae874ff5047576072f6e437b53d4d965bcf418e0c0f59d98a78e5
-
SHA512
0a9bc28b8af4f4fa5cc7acbb964334a288d1d1ffd7d5a35e1a6ecefc36284c73d6e2838a890756b3ca098be1e6964747c9fcab31428b1fc7c86a34d75ccd0ad2
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSy0:btB9g/WItCSsAGjX7e9N0hunRv0
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000d0000000153cf-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2072 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 2072 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2072 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 28 PID 2156 wrote to memory of 2072 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 28 PID 2156 wrote to memory of 2072 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 28 PID 2156 wrote to memory of 2072 2156 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD51c31ccb88dfc9887ea4f5ae6ceee5431
SHA1edc154feded570292ed4e2c41a524817a97bcc67
SHA2568119e57048ca3bc5b226e628b4625949fcd404c0329269613c1c9c3d4586f7dd
SHA512023084070d07c0e5c9fd626bca774254bef90913399d8f4e507682d93cc71aa9dc89efb79f128060c3389c6d70030befa1ca051367e96be95d2edfccfd4fad54