Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 00:27
Behavioral task
behavioral1
Sample
2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe
-
Size
124KB
-
MD5
48d54ec3d59b631916956ff5b904df34
-
SHA1
34fad3dd283e072b58ff9003c0ad816cbd52fc11
-
SHA256
e29e4615b75fabcced91584465cfc454242de9049cae142da311f5065d80dbcb
-
SHA512
8322affacd14d306297ff8fa989886212e743812b8b6506eadfd9f919c80eef53b0e9c521d6bbbaab8d78d062de8151e8c07f3f88884220e9bf7a5a14546e959
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1eImo:AnBdOOtEvwDpj6zY
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/2376-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b000000012238-11.dat CryptoLocker_rule2 behavioral1/memory/2376-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2852-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2852-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 5 IoCs
resource yara_rule behavioral1/memory/2376-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000b000000012238-11.dat CryptoLocker_set1 behavioral1/memory/2376-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2852-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2852-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/2376-0-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral1/files/0x000b000000012238-11.dat UPX behavioral1/memory/2376-15-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral1/memory/2852-17-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral1/memory/2852-27-0x0000000000500000-0x000000000050F000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2852 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2376 2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe -
resource yara_rule behavioral1/memory/2376-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/files/0x000b000000012238-11.dat upx behavioral1/memory/2376-15-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/2852-17-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/2852-27-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2852 2376 2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe 28 PID 2376 wrote to memory of 2852 2376 2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe 28 PID 2376 wrote to memory of 2852 2376 2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe 28 PID 2376 wrote to memory of 2852 2376 2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-04_48d54ec3d59b631916956ff5b904df34_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5520323a785a9848b0ae5f06181d8d58a
SHA1cbfb2011e93ddcd2037ebc523651e19dc48209c8
SHA256cdcf2bc5ae00e237288220296af35d9f94be17bd34e0054081230c3b2108a5b4
SHA512a44e129e959eb5fb9e06d529a2b595daf3464f57d2cef0c4ee2160799ec6a555238b9d02725181e752ffc96fa289ab2d21c9302e884b520120e0355c1311618d