2ab5265e23f86ec6bd18d221e3ec4d33e91afecff2a3b503ea5f159d383d8de7

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 09:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe
Size

57KB
MD5

e21e6cba14f3549e88dabf88e547bed7
SHA1

bac38b4c99e90069d918fa8551ea5e35ef6662fb
SHA256

2ab5265e23f86ec6bd18d221e3ec4d33e91afecff2a3b503ea5f159d383d8de7
SHA512

c4d2baf660a137ea59573548c762167cbf016235bc766cb6a22156a2881aa1d838bf1c96c612baf1038025b5755365f13cc08a51562d2a122a0aeb4ad0586c15
SSDEEP

768:bP9g/WItCSsAfFaeOcfXVr3BPOz5CFBmNuFgUjlYn:bP9g/xtCS3Dxx0Ln

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012286-15.dat	CryptoLocker_rule2
behavioral1/memory/2676-16-0x0000000000400000-0x000000000040E000-memory.dmp	CryptoLocker_rule2

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000040E000-memory.dmp	UPX
behavioral1/files/0x000a000000012286-15.dat	UPX
behavioral1/memory/2676-16-0x0000000000400000-0x000000000040E000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2676	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/files/0x000a000000012286-15.dat	upx
behavioral1/memory/2676-16-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe
2676	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2676	2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe	28
PID 2236 wrote to memory of 2676	2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe	28
PID 2236 wrote to memory of 2676	2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe	28
PID 2236 wrote to memory of 2676	2236	2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_e21e6cba14f3549e88dabf88e547bed7_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
57KB

MD5
b65917ff03b2651925bfe94dae891094

SHA1
4fd700faa5b80c5f42a02c4173d9871a81691b41

SHA256
e848c9a4c3a51a1b7ae816b9fe558777c5d7fa6d485cbddc395a6f6e643aac01

SHA512
71465f191e2303ce449cdc7945ffd0743bfd9043702fbe546582684e37035222d94ed60c83724d5edc81eb8afd2a8a54f785611f994866d97627f62023f67f67

Download Submit
memory/2236-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2236-1-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2236-9-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2236-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2676-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2676-25-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download