Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 22:24
Behavioral task
behavioral1
Sample
2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe
-
Size
62KB
-
MD5
45d8480b7441a72773b5b8822d7b3368
-
SHA1
23728153ff089a0ff4e1dbd25d29a2ebd4d91640
-
SHA256
9010bc04bd117ab66d6036f025f273608b2a0a51652c6c4d9a293c41c8d42073
-
SHA512
03477baccdbc454faeaeaf7b01ac5092ee893aa4caa68eaa5b9f8c3bc449f17205dbd53553c421838234d2907a8c656a3075e83244564e1a1536e6be1d3e30c3
-
SSDEEP
768:zQz7yVEhs9+syJP6ntOOtEvwDpjFelaB7yBEY9Su8F5mLZ5K7/:zj+soPSMOtEvwDpj4kpmeLmY
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/2164-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000a000000012255-11.dat CryptoLocker_rule2 behavioral1/memory/2164-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2304-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2304-26-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/2164-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000a000000012255-11.dat CryptoLocker_set1 behavioral1/memory/2164-16-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2304-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2304-26-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/2164-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x000a000000012255-11.dat UPX behavioral1/memory/2164-16-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2304-15-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2304-26-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2304 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2164 2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe -
resource yara_rule behavioral1/memory/2164-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x000a000000012255-11.dat upx behavioral1/memory/2164-16-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2304-15-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2304-26-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2304 2164 2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe 28 PID 2164 wrote to memory of 2304 2164 2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe 28 PID 2164 wrote to memory of 2304 2164 2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe 28 PID 2164 wrote to memory of 2304 2164 2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-27_45d8480b7441a72773b5b8822d7b3368_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5d7d67f00dfd8038dc839bec5067be6cc
SHA14b484b1cacbd335748dd8c18b9cca6c345afec7f
SHA256ac09cde55d170f7c1be3278f28d4a5caa63410d6e875ade3ffa9d3648f9c786e
SHA51284682b6ed14d2a02d6fa9c5fb4d3c24a8da3d86b5ec86be8b81e94b3508f719b36d6d8c050c08b2b6ac544c39328411a9c5f98f78526e549be1927e8fa17f469