Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
-
Size
39KB
-
MD5
53e97dd5c4e5d82ab023e6aa7045487e
-
SHA1
9d0f007c030a37c40dfeb9f895477ca031d1f82c
-
SHA256
97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008
-
SHA512
55a24f91b015c4374b8db4bae78f17dbea161a80c1f9ffff04821c80e95bafdf270157c2a5d7fd395aed3871a41800dd21a4470aa5ee3bbf9f47bcbe97992900
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+qZw7pM:bgGYcA/53GADw8ClqZw7pM
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 288 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exepid process 2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exedescription pid process target process PID 2612 wrote to memory of 288 2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe PID 2612 wrote to memory of 288 2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe PID 2612 wrote to memory of 288 2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe PID 2612 wrote to memory of 288 2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hasfj.exeFilesize
39KB
MD579d4f336c64449c2fcf225ee3a73b9ee
SHA1e20a603fe363a6061b05c5a6c22cf1b51be7b69b
SHA256c492f4c4ceed311a602dbe5bba80664e1dd76c4e572ef014294f6c4ef4f58c32
SHA512f94530dab1d5c64bc9ec988cfcb4bd63ed52ca2e44ddf94ddf43daf6cab9e093f709df2359aa0a462ee3024f01ee960a95cf96ad1bf4441783b707b980c88fe5
-
memory/288-15-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/288-22-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/2612-0-0x0000000000870000-0x0000000000876000-memory.dmpFilesize
24KB
-
memory/2612-2-0x0000000000890000-0x0000000000896000-memory.dmpFilesize
24KB
-
memory/2612-1-0x0000000000870000-0x0000000000876000-memory.dmpFilesize
24KB