Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe
-
Size
34KB
-
MD5
5f275dd72ba777cd5fca170f2ad5cb79
-
SHA1
03b369d204e15c4ba4c1fb0a49eb173086fd65e5
-
SHA256
326144d608c2bcbe3488cbb635332ed6ee419c5fbd2ab06d565d5cc6aa7c88ad
-
SHA512
0e70a5717e13d262497cfb5d631bb0f81667e1d5a2384c1e49010d69c4de65e8e3c9688daa3ab47084fc28bc3ace20e98a0f5168bdbfd9a2954101bfa600069d
-
SSDEEP
384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B4lWS+gp:btB9g/WItCSsAGjX7r3B4GM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2848 gewos.exe -
Loads dropped DLL 1 IoCs
pid Process 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gewos.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe 2848 gewos.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2848 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe 30 PID 2732 wrote to memory of 2848 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe 30 PID 2732 wrote to memory of 2848 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe 30 PID 2732 wrote to memory of 2848 2732 2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-31_5f275dd72ba777cd5fca170f2ad5cb79_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5a0ab9db2b48dfda8ff13797b63457be1
SHA14bcb736f66679c6164eee18985da55bc6760a7cb
SHA256151219a5b258fcb8ec9f68a9b00e150b2a17866d4142469f5b62f8c9a1a5f49b
SHA5123e5dda629126754cb7b6c70d3e4c843b7fd8e9d84ebb27b0b1fb5b9b665192098aa24c5baeb7f6d79045938896ec7d5fd1bd87dd866df073b4641b386e2cfa24