Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe
Resource
win7-20231129-en
General
-
Target
2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe
-
Size
37KB
-
MD5
62d68d09fb35f9470bcef39eabf2d54c
-
SHA1
37251773e948e396c945fa745a7d6f8b129f5731
-
SHA256
b96ac8ee879f95718d8b527e085a5be825768cda2471a18150c1d6e310a2d00e
-
SHA512
f4cfac5c7c8677e11c4d060ffb88547c6474188c4acb4d543ce97ff0566a01980896d930374c563459549aa8fe585a83930cb466bc888b94f4ec5de486141099
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HKcf24:X6QFElP6n+gJQMOtEvwDpjBsYK624
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2820 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exepid process 1996 2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exedescription pid process target process PID 1996 wrote to memory of 2820 1996 2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe asih.exe PID 1996 wrote to memory of 2820 1996 2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe asih.exe PID 1996 wrote to memory of 2820 1996 2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe asih.exe PID 1996 wrote to memory of 2820 1996 2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_62d68d09fb35f9470bcef39eabf2d54c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
37KB
MD5c4b801dd9e4e5b383d3d5dc8f9675f1d
SHA11f2668346dfce820d443b507eb3cc91543272f9d
SHA2562d45d613170e6c4c62f20cf69bfd9d6cc6d35c67a108b95cfccae8316ea8fafd
SHA5124cce3f6a4e0ce4645488faef1a20ee96e3351c2fc845bf60e13da668af9a43a22c4dead2d7b9563a14d37a210f19628c53802e64665d285f17b3e880c9e7a748
-
memory/1996-0-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/1996-2-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/1996-1-0x0000000000470000-0x0000000000476000-memory.dmpFilesize
24KB
-
memory/2820-15-0x00000000003D0000-0x00000000003D6000-memory.dmpFilesize
24KB
-
memory/2820-18-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB