Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 03:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe
-
Size
36KB
-
MD5
b1954077fdbe19cd082369851d08bc2e
-
SHA1
36611b1b7c80329b34c4aa03055848dd7dcba7c4
-
SHA256
7262eadd35370b14fd1990e3c05583288725059541a04f3c8be5dcfa940821bf
-
SHA512
8e8e430789d43a4504ace0b1382c22e0190564b50fd14b36c6e2cc2abac0be82f80544bb4c466d19d15f8d6f044d45bc4d9988abdb5628ea623a23502b4068cc
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2BodcAOjbQ36ttTa:btB9g/WItCSsAGjX7r3BGub8V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2304 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gewos.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe 2304 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2304 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe 31 PID 1484 wrote to memory of 2304 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe 31 PID 1484 wrote to memory of 2304 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe 31 PID 1484 wrote to memory of 2304 1484 2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_b1954077fdbe19cd082369851d08bc2e_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5552554e3d0f162ed9d7e4bfb14786758
SHA16443ea175a7d14b9c1b545d1a07656e3cfd6da8b
SHA256ca30ad493ff5fca4a17e7d376922a6f91ed4faf6d3275c9937f9a2f8330547cd
SHA5123defd9d7d6c31a2c46b86536f7e98313935909b9f090515ce4c33bf84766c89d1a863b7a1195f4a5687cd4e569a08ffd564270464ab9d157f97bebb44ce667da