Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe
-
Size
47KB
-
MD5
3015fa5251c07ad858bb953489ff1339
-
SHA1
f0905d6cf4eca7a9d864b5a67204b3de9dd1c88c
-
SHA256
18cf787bea8880b8605e3083053bc7256eb254d14462eaf75bf05439a1b082b7
-
SHA512
fea34b20c107c31c2c58b210e182a3e6bcdf80b804bd6755bae6c1580967c6c69cdd1d210f6b4a1a24238f6bbeb8885d12c3a2474a51f0213588f09b1a6dd5b3
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5z/hDx:bgGYcA/53GAA6y37nbF
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 2828 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exepid process 1972 2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exedescription pid process target process PID 1972 wrote to memory of 2828 1972 2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe hasfj.exe PID 1972 wrote to memory of 2828 1972 2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe hasfj.exe PID 1972 wrote to memory of 2828 1972 2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe hasfj.exe PID 1972 wrote to memory of 2828 1972 2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_3015fa5251c07ad858bb953489ff1339_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD58b03c3ec95c9e4ce59359a69f0756d58
SHA120830c13e1e2121d0d1fc5032cf934f019f1ae6d
SHA2567a256badcde0fce3a10e90374a2dfcd343ecd00def5cde05cc921ab844fcd4af
SHA512d9eb5b5885b7307973093b9c7355512b1109a051cea6e3de976757ef00b72e5f8e26f9cf41315ab8f5ad3c8f34156175dd1ed3d6b4f295c676fc73b4db8ff3f6