Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 19:26
Behavioral task
behavioral1
Sample
2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe
-
Size
126KB
-
MD5
c305ee08c2c75c67aa3e146413119198
-
SHA1
245841bdb458d6006b9fe8eacdabd49c43b8939b
-
SHA256
8cac72bb4dfef748bd481de89cb32e8de1e57c5ff0994e65cad77659e53e2ecd
-
SHA512
66b16806b39213b1a5d34e90fb9940ff954ba235a87c482cebbec7af7089c9e0f70d16e54c08448becd09cf83b26a664bd431e736c05fce25ddacd2d8e15557b
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1eInY:AnBdOOtEvwDpj6zV
Malware Config
Signatures
-
Detection of CryptoLocker Variants 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2900-14-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 behavioral1/memory/2284-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2284-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2900-29-0x0000000001FA0000-0x0000000001FAF000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-1-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2900-14-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 behavioral1/memory/2284-18-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2284-27-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2900-29-0x0000000001FA0000-0x0000000001FAF000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-1-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral1/memory/2900-14-0x0000000000500000-0x000000000050F000-memory.dmp UPX \Users\Admin\AppData\Local\Temp\asih.exe UPX behavioral1/memory/2284-18-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral1/memory/2284-27-0x0000000000500000-0x000000000050F000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2284 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exepid process 2900 2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe -
Processes:
resource yara_rule behavioral1/memory/2900-1-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/2900-14-0x0000000000500000-0x000000000050F000-memory.dmp upx \Users\Admin\AppData\Local\Temp\asih.exe upx behavioral1/memory/2284-18-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral1/memory/2284-27-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exedescription pid process target process PID 2900 wrote to memory of 2284 2900 2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe asih.exe PID 2900 wrote to memory of 2284 2900 2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe asih.exe PID 2900 wrote to memory of 2284 2900 2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe asih.exe PID 2900 wrote to memory of 2284 2900 2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_c305ee08c2c75c67aa3e146413119198_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD543fb578f8f5acfa36c6b0f721022d5f9
SHA140bac0c34807aa1500144e30bf7bbfd9874e0f39
SHA2567be9b022eea8ff518faa93bd50cab271a03bc04afb291b8ab1d737f48e447c98
SHA512dec1cff96c7934aee60a86504875d51159accbc4424da5b98196af1830814a28ea8679a466780a6ecd46341bdfa00d16c8fa2fe3d826b201add339b19a9356bd