Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 20:34

General

  • Target

    2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe

  • Size

    37KB

  • MD5

    926baeaa3db5decb93c1bc7e7b538199

  • SHA1

    7c53c8e6c6107e96c7196560cdda0482eaf8b75f

  • SHA256

    fe6351bc6062a3c49f8d60e420d69118362ad1d1992d8d921abd64af36d9b2ee

  • SHA512

    17ef76d0e6c50d73315be4ddc3e2a91ed01df3aff7d81ae265ab8bd88f9366d7580e157a1df77daa04d9dc8f62bbaac6e5801fa2605a97aba540656246139f7b

  • SSDEEP

    384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunRSyN:btB9g/WItCSsAGjX7e9N0hunRvN

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_926baeaa3db5decb93c1bc7e7b538199_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\gewos.exe
      "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:2572

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\gewos.exe

          Filesize

          37KB

          MD5

          eca8f38e31cfb028091d12899b09780f

          SHA1

          de04a0efe4051c9accb6d1561d26c1525c5afe0b

          SHA256

          6295503c8f52743b327e61dbaa47e32203267f619093502df637353b6310d996

          SHA512

          603417155b65b1ded51b6270c6afaee0278fd1ae696c6b493d81dbbb39190085e96807357b7849055e7b1bac0d07310fca45c5d5919015c82f0f1f4cee79f973

        • C:\Users\Admin\AppData\Local\Temp\gewosik.exe

          Filesize

          185B

          MD5

          facf155abd9ca1953f2f76e7437538e1

          SHA1

          734a6922907770a1af2dd8f6cadc0e3672c530f0

          SHA256

          963c3f0e856c4b9beb889b55ae926042c0f2585f408451076d657e9d618a5404

          SHA512

          c3b58c68dc73b5cd3b8e72ead477fbb1eca37502d0ab5b7782b51eaf7d5a43fd08e9706220316a06a5e5bd46fdf76acd95f3b860e0324f8f1336f9cd40b85207

        • memory/820-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

        • memory/820-1-0x0000000000400000-0x0000000000406000-memory.dmp

          Filesize

          24KB

        • memory/820-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

          Filesize

          24KB

        • memory/2572-25-0x00000000020A0000-0x00000000020A6000-memory.dmp

          Filesize

          24KB