Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe
Resource
win7-20231129-en
General
-
Target
2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe
-
Size
55KB
-
MD5
dfe4ac26d67ee8f3875ce51437e0c467
-
SHA1
34191f01a7c809c31f1b99869691ce0f099f0b79
-
SHA256
1e2a374f545f19b6b22751173a65cd86c8f4e61088c8765a39fa4498d59873a2
-
SHA512
8f53071f76dcf82d358afb18c12e6ac0ca6cb90ce306667bd816884d53f9a678311d7e4e71c260b9f56a3c53f89a3a7ef9424d364768a41812db41fd9eff07b3
-
SSDEEP
768:79inqyNR/QtOOtEvwDpjBK/iVTab3GRuv3VylsPxAt:79mqyNhQMOtEvwDpjBPY7xv3gy52
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
Processes:
resource yara_rule behavioral1/memory/804-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 behavioral1/memory/804-13-0x0000000002840000-0x000000000284F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/804-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/3036-22-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
Processes:
resource yara_rule behavioral1/memory/804-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 behavioral1/memory/804-13-0x0000000002840000-0x000000000284F000-memory.dmp CryptoLocker_set1 behavioral1/memory/804-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/3036-22-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 3036 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exepid process 804 2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exedescription pid process target process PID 804 wrote to memory of 3036 804 2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe asih.exe PID 804 wrote to memory of 3036 804 2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe asih.exe PID 804 wrote to memory of 3036 804 2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe asih.exe PID 804 wrote to memory of 3036 804 2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_dfe4ac26d67ee8f3875ce51437e0c467_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD57ff3f1ab0f2d8c7a9d29f836b4d62351
SHA1ef9c8fe6ffcc870d0119341f703faae04b754b5a
SHA256546f40e7acadd5ba22e5164ade314a64125314e019f28928301f5aff7af45cfe
SHA5121547caca7a897386d02454b3a247875791227df696eb4f48bef681aaac7b4972c8e1e136032b468a2d9ea8f8e1443beccdab942a003e236db682baea9ef5e391