Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe
-
Size
30KB
-
MD5
448cd77c0907643ee262e3c1a0b171c0
-
SHA1
a361483d6a0af007221c185b269fcd4abdd431da
-
SHA256
ebe5f73ed9f2dfce29830d687c0fff2bdef3d5a30b84ee2b24348148fb7b0cf2
-
SHA512
8f11108b97e8936a9b0435286dcb1fb2c38e30977ad4aae79c51966401a42fb396faf7f42b6aeb753b5637b216349f2024560a50afbce224b9f08426c3814712
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIyNc:bA74zYcgT/Ekd0ryfjPIunty
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 2012 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exepid process 1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exedescription pid process target process PID 1632 wrote to memory of 2012 1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2012 1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2012 1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2012 1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\hasfj.exeFilesize
30KB
MD55ac7d792c7d6ff365c37728fde858ea9
SHA13429ebfc31463ce10b3d181cff02a30dd9947130
SHA256c3069e7194a4eb01a2b80422a6ec4a99945e06cfccba597623998a5b1f1cc38d
SHA5128e21e9040663fcf1a7122b19311875af73b5ca0ea5124735b77f698229032698ea681728a47536831d6b9318509b114265801f60909d2a26befa9a56cdc7f402
-
memory/1632-0-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/1632-2-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1632-1-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/2012-15-0x0000000000470000-0x0000000000476000-memory.dmpFilesize
24KB
-
memory/2012-22-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB