f4005deed0f6bf158a9f5816f2dfce93daac8f3d52f4ae2a4509511fd9bd6453

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
Size

44KB
MD5

84847084d9ec050f56374785338dd87f
SHA1

c960f10229b5baf12728df5f19144720b4ed1a8b
SHA256

f4005deed0f6bf158a9f5816f2dfce93daac8f3d52f4ae2a4509511fd9bd6453
SHA512

687f295228d7647ea67e313e7654852efccb7a399f16ad3208a92a523c641712870933719193e07312bcee2fb84d456e7450b406553d8e812839f840bf7b8fa3
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNiJXxXunrkwIxZWQpyO:btB9g/WItCSsAGjX7e9N0hunrknljKru

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
1744	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1744	2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	28
PID 2296 wrote to memory of 1744	2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	28
PID 2296 wrote to memory of 1744	2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	28
PID 2296 wrote to memory of 1744	2296	2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_84847084d9ec050f56374785338dd87f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
45KB

MD5
8578873c70e641905e748bda9a8272dc

SHA1
e6c11aeaf672625c06df86f9e8456be0f1733b4e

SHA256
d4817604cc56529a90185438a94e047e9b51ab317c06772fa48ef992963fb6be

SHA512
eb1534bf0824f3de201688fa26f90e6cb455bcbe4f77942a4725cb476b41fc0ecc83856199fdcf6a1cef9e80f60d4f06464d0cc98712a36473f092fb1ec2d573

Download Submit
memory/1744-23-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2296-0-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2296-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2296-8-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download