Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe
-
Size
37KB
-
MD5
d63a4bfd6c3f0fa7b34ee6ba32e3e4aa
-
SHA1
92d85fda465f57ebfbba312780a98752b2371c25
-
SHA256
5ed087301ebae874ff5047576072f6e437b53d4d965bcf418e0c0f59d98a78e5
-
SHA512
0a9bc28b8af4f4fa5cc7acbb964334a288d1d1ffd7d5a35e1a6ecefc36284c73d6e2838a890756b3ca098be1e6964747c9fcab31428b1fc7c86a34d75ccd0ad2
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSy0:btB9g/WItCSsAGjX7e9N0hunRv0
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000d0000000233cb-15.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation gewos.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2816 2032 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 81 PID 2032 wrote to memory of 2816 2032 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 81 PID 2032 wrote to memory of 2816 2032 2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d63a4bfd6c3f0fa7b34ee6ba32e3e4aa_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD51c31ccb88dfc9887ea4f5ae6ceee5431
SHA1edc154feded570292ed4e2c41a524817a97bcc67
SHA2568119e57048ca3bc5b226e628b4625949fcd404c0329269613c1c9c3d4586f7dd
SHA512023084070d07c0e5c9fd626bca774254bef90913399d8f4e507682d93cc71aa9dc89efb79f128060c3389c6d70030befa1ca051367e96be95d2edfccfd4fad54
-
Filesize
185B
MD596e563d0eedebd06e003b8004418d248
SHA182116228048d05603815cc6365cc8f3433e61615
SHA256dbf4d13fb4e427e07fe129fbef73aa9c4ac9f4674391cb53cb4f0f947752386e
SHA5123683e95fbc79c983b9a92ed158ee9a27d01eb356100aa82cf8d1c629daf0ce367d2f1c2757bfe7ac03d6a322eea0faeeec7b547d12a84a185580d567c00818d4