Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe
-
Size
50KB
-
MD5
cebd64f5578d05fc82c9773e27c11492
-
SHA1
5ba1b8fc321734a1e807d7d8a57e913077fd1f48
-
SHA256
63edb8a556595d3ef12fdd256c70f447fff7f26fed2e8899a6fe20abb905e864
-
SHA512
817a594fe0069b4b9b97eb76c1058eb65c746d4fd9b0ca395c239cc33163bba19a4fcf1ecc9717ad13efebc767d9ac9d07daf7b05f59e5be209febc0079ef8f6
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vaToguMyj:X6QFElP6n+gJBMOtEvwDpjBtEJNM+
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2332 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exepid process 1212 2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exedescription pid process target process PID 1212 wrote to memory of 2332 1212 2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe asih.exe PID 1212 wrote to memory of 2332 1212 2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe asih.exe PID 1212 wrote to memory of 2332 1212 2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe asih.exe PID 1212 wrote to memory of 2332 1212 2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_cebd64f5578d05fc82c9773e27c11492_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
50KB
MD5b245c19880686d6eb7fb3fb9442e0f3f
SHA10d893ac6f5000a30c8725383f2f1165cef742751
SHA25600b23165a2ba61d451610aa36a75f0c2baf4bfa33b0ca7350e35aeae34cb5112
SHA51250d8dccfac58965599d042fa31256401fdad90768f61c40b952a473fd6084797222c0b0f5fb30cd1b5b0eb78f93f9e3d71c9a78a04e88770fb828fae42b645d9
-
memory/1212-0-0x00000000002D0000-0x00000000002D6000-memory.dmpFilesize
24KB
-
memory/1212-1-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/1212-4-0x00000000002D0000-0x00000000002D6000-memory.dmpFilesize
24KB
-
memory/2332-15-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/2332-18-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB