ae7816ae756570bee009d57b50255e0765b02cd55609ebd23cca00abcf6d35da

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe
Size

45KB
MD5

98e6a2f73ed0921def99c82efa5ec65a
SHA1

91729d60eaca9d4f78f2d4a1f92989b7a50659d6
SHA256

ae7816ae756570bee009d57b50255e0765b02cd55609ebd23cca00abcf6d35da
SHA512

ea06947ea09282e28c1044cbc517779c321ebf369810164421182ab013aa24d9cd7c3e167942ebb17106e8feeb972bee197715d9cb2448d179aa48a71144cbd5
SSDEEP

768:bao/2n1TCraU6GD1a4X1XOQ69zbjlAAX5e9za:bF/y2lFizbR9Xwza

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4812	4732	2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe	81
PID 4732 wrote to memory of 4812	4732	2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe	81
PID 4732 wrote to memory of 4812	4732	2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe	81

C:\Users\Admin\AppData\Local\Temp\2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024061598e6a2f73ed0921def99c82efa5ec65acryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
46KB

MD5
9445c7eece55bcbb3796ea8d1ffb10ee

SHA1
39df78846a1bc4e26bf35753ef0c8dcfcdfb1962

SHA256
a3bd895e2cf484df549529fb5fc76b1513b741177540940a2e11b4dae2fb288f

SHA512
0856c5f8491853b4a92a84e13dba7ad0f96c2be19f6c50dc43e0b2a5939c89eb822c5f80420d00b53ff88d83f5efb44743f5c4ec3f0ebb720c17c8fa65bacdea

Download Submit
memory/4732-0-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/4732-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4732-8-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/4812-25-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download