Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe
-
Size
59KB
-
MD5
e7ce3e59b8de1c6a2ef795c932db91b2
-
SHA1
317fd58e791517774733798e0ca0530b72c0e5dd
-
SHA256
2de6e94a3b2397740b5024c2cb8f5582592b824cca5a8e63ef7d6644a85b725d
-
SHA512
b076b5b9657fb3efcddf6de459f39a11f30a14547899655fd641f4d4643fa09b3244e980d91557a8518989ce9019189b6a18f9e4f90eff907aefa61d72036679
-
SSDEEP
1536:X6QFElP6n+gJQMOtEvwDpjBccD2RuoNmuBLZ/xn:X6a+SOtEvwDpjBrOZ
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2160 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exepid process 1720 2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exedescription pid process target process PID 1720 wrote to memory of 2160 1720 2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe asih.exe PID 1720 wrote to memory of 2160 1720 2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe asih.exe PID 1720 wrote to memory of 2160 1720 2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe asih.exe PID 1720 wrote to memory of 2160 1720 2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e7ce3e59b8de1c6a2ef795c932db91b2_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
60KB
MD500d0896f61905c313b56bb573a4dc8db
SHA1d43ca8df3a98f2a1842e6d2e4f9222c172d650fc
SHA2564fd2ae8afb3069f8e5ed35319f444c359d55f2f69028e44be4b965b1603955f1
SHA5127a5a2f1939adce6fe011f1be69953ae7e3cbbe89300e2712a992c68672c5ce6eaa71201dcd238c11f19c81e9410232766101c89c71acf2a1d902b03cb0203366
-
memory/1720-0-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1720-1-0x00000000003F0000-0x00000000003F6000-memory.dmpFilesize
24KB
-
memory/1720-8-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/2160-15-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/2160-17-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB