38e45cd5ac20dc82966ac50a24b754e431c353110d4baeb87edc06a2a5c4e77e

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe
Size

33KB
MD5

5b62f1632efa2c3ef6a8a5793bd6b73f
SHA1

272542d1d0c226fa9a3bf77e73dc2a09e74ffbdb
SHA256

38e45cd5ac20dc82966ac50a24b754e431c353110d4baeb87edc06a2a5c4e77e
SHA512

c983e62687645dc5ec6ef292c6344915e2274ffd53778c2ce5cdb4ac343f279048d8bb40556ab1dee1d452e5d3de3df71794492607b366bd29556688829bca7c
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4XDIwNc731:btB9g/WItCSsAGjX7e9NC1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gewos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe
2592	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2592	1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe	30
PID 1292 wrote to memory of 2592	1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe	30
PID 1292 wrote to memory of 2592	1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe	30
PID 1292 wrote to memory of 2592	1292	2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-15_5b62f1632efa2c3ef6a8a5793bd6b73f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
33KB

MD5
bfb16c7579d60b775a2015a10522d421

SHA1
813d7060d1e23e5e66b273e9b7834d54241b25d6

SHA256
0cc6d6c763c398e6963cf02ed82d3b9ca7c46615491bb879c5070518d1e1af10

SHA512
461fd5089c0a76d603d57608463e9a982892690e87c6f4091bbdc55bf82f2b280cd2086b72ae0e86a632bbd1123045498415226a6ded8094ecab4a2ee5d4300f

Download Submit
memory/1292-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1292-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1292-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2592-16-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download