Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe
-
Size
37KB
-
MD5
926baeaa3db5decb93c1bc7e7b538199
-
SHA1
7c53c8e6c6107e96c7196560cdda0482eaf8b75f
-
SHA256
fe6351bc6062a3c49f8d60e420d69118362ad1d1992d8d921abd64af36d9b2ee
-
SHA512
17ef76d0e6c50d73315be4ddc3e2a91ed01df3aff7d81ae265ab8bd88f9366d7580e157a1df77daa04d9dc8f62bbaac6e5801fa2605a97aba540656246139f7b
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyN:btB9g/WItCSsAGjX7e9N0hunRvN
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000800000002342d-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation gewos.exe -
Executes dropped EXE 1 IoCs
pid Process 2572 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 820 wrote to memory of 2572 820 2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe 82 PID 820 wrote to memory of 2572 820 2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe 82 PID 820 wrote to memory of 2572 820 2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5eca8f38e31cfb028091d12899b09780f
SHA1de04a0efe4051c9accb6d1561d26c1525c5afe0b
SHA2566295503c8f52743b327e61dbaa47e32203267f619093502df637353b6310d996
SHA512603417155b65b1ded51b6270c6afaee0278fd1ae696c6b493d81dbbb39190085e96807357b7849055e7b1bac0d07310fca45c5d5919015c82f0f1f4cee79f973
-
Filesize
185B
MD5facf155abd9ca1953f2f76e7437538e1
SHA1734a6922907770a1af2dd8f6cadc0e3672c530f0
SHA256963c3f0e856c4b9beb889b55ae926042c0f2585f408451076d657e9d618a5404
SHA512c3b58c68dc73b5cd3b8e72ead477fbb1eca37502d0ab5b7782b51eaf7d5a43fd08e9706220316a06a5e5bd46fdf76acd95f3b860e0324f8f1336f9cd40b85207