a5fd5304d927cde8adc8ec80d3d87bef2cd8639d557a0f6520dcad0d48260acd

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe
Size

46KB
MD5

49086996702f2ca8e53366c28fc46e65
SHA1

2173fca9b65fd39aa9b5f015e3fd289d08ede2fa
SHA256

a5fd5304d927cde8adc8ec80d3d87bef2cd8639d557a0f6520dcad0d48260acd
SHA512

3f19c2d6c14ded6b11763e46bbc63248a131fa4e6b634d9130d125e6c155fd89c47fe42754793ce1830486c0fc394b6aa7106b9168db056aba78388a2c89a54f
SSDEEP

768:bao/2n1TCraU6GD1a4X1XOQ69zbjlAAX5e9zu:bF/y2lFizbR9Xwzu

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001214d-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
3000	rewok.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe
3000	rewok.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3000	2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe	28
PID 2740 wrote to memory of 3000	2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe	28
PID 2740 wrote to memory of 3000	2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe	28
PID 2740 wrote to memory of 3000	2740	2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_49086996702f2ca8e53366c28fc46e65_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
46KB

MD5
4d9738b5535e47e7a53e3ae5c60d087b

SHA1
22d3443eff553bb18dfa6ac1e0f9bf94cfeb6a93

SHA256
d8306810c06e5c3149378755d7d294d1f8d970e3d494c7566e53717776630e42

SHA512
5bdea93d88d7e176143a4f0324972e7a5241d3ef182e55d27b3ddd1be5cdebf1a34f4766b0015228981d19660ca70663de6c9896fff3a17ba14ac2fdc907f0cc

Download Submit
memory/2740-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2740-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2740-8-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/3000-23-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download