Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe
-
Size
32KB
-
MD5
9cd29ba79ff7818d50312eb8e7b45a9f
-
SHA1
3c18a1ec3d1a601f88e8852aa5a2ac2feb935e1a
-
SHA256
458ff5047e76020dff2181577c4714885a03080c360a6377f58813db268b9c38
-
SHA512
f9862864653e4c490a22f923c71be7d10afc8d87ef648db150ecb3bbe3ead974120f7dc30d1b8dd480b2e5d44ee7ef8ff64c27d4fad6ffee060697c91546e1ca
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJXTQke8SDSCCt:bA74zYcgT/Ekd0ryfjQRSNhpSDM
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 2688 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exepid process 1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exedescription pid process target process PID 1632 wrote to memory of 2688 1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2688 1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2688 1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe hasfj.exe PID 1632 wrote to memory of 2688 1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD55bd944ce128c3f6fb2447cc170ee878d
SHA198b24d9e7f517ee1610a55342920a373a714906f
SHA256d14a3bf99f88d3ae1a6a00aa0196cb00b91c2ae2eed39b7b63174656add46d29
SHA512bfa2054c2ec81d8a34ae8b99e4c6d38649477c867b2078a51b73d4cb4ea62a31d57fc3b520db7835f8abd1ab1dbe1f96c719c7197973aac550cac11e91b8a066