Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe
-
Size
62KB
-
MD5
0cb8ebd1eb7399f6b84922baf0322765
-
SHA1
e880be8f6460795a326e8aa1aaa3eb4dc7eeb5f2
-
SHA256
96f856f4f92cded43f8d27003b39816bdfe9281254d4296a5e85d1a26ebdc42f
-
SHA512
48478a2d21974f13038b1081fa38f01060c174efa4bf563098f6c92238ad20570ec58510c300b51058be8a47be4ae4e3ea78b467074e81f47bba70b5ceecedb6
-
SSDEEP
768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEO10Km2:6j+1NMOtEvwDpjr8ox8UDEy0Km2
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/1640-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x0008000000012254-11.dat CryptoLocker_rule2 behavioral1/memory/1640-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2552-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2552-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/1640-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x0008000000012254-11.dat CryptoLocker_set1 behavioral1/memory/1640-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2552-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2552-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral1/memory/1640-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0008000000012254-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1640-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2552-17-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2552-25-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 2552 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1640 2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2552 1640 2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe 28 PID 1640 wrote to memory of 2552 1640 2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe 28 PID 1640 wrote to memory of 2552 1640 2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe 28 PID 1640 wrote to memory of 2552 1640 2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-27_0cb8ebd1eb7399f6b84922baf0322765_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5501ae87929f6776ad36c751ac68d1abf
SHA1ae4adabc268fd001ae16679b77711ec23df50c88
SHA2568d17135200347472e2808dc48b1d44c5aeb9a6a6dbc22e28586b4e1ea19fcb92
SHA51210c35ebe1aa558e4922886ef29682d360e3afd3a9f5e3682530234d14e0c7d228ddab8b46bd464177d9fd2900ed46f708295b574b0a973291beb459ce03136e2