Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe
-
Size
36KB
-
MD5
4e19ca07bc1e6582db3b9e49c8d49d81
-
SHA1
590d339d2f6d95c5672144815c2f2f9f2a7ae594
-
SHA256
e0fefb76f1251651d459648025a6ef32c0dc6708bb9ed510baea803f61504d69
-
SHA512
78b78800d7c9925846353ce3d54c10fed97a19100f50af31cd6a729dfe123aa0e0a04c7ea031fe26a9cab71d2aaac017766ded590e714e2d12b1f5f5bae965a3
-
SSDEEP
384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5cZnr:bgX4zYcgTEu6QOaryfjqDDw3sCu5i
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 2712 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exepid process 2332 2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exedescription pid process target process PID 2332 wrote to memory of 2712 2332 2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe hasfj.exe PID 2332 wrote to memory of 2712 2332 2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe hasfj.exe PID 2332 wrote to memory of 2712 2332 2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe hasfj.exe PID 2332 wrote to memory of 2712 2332 2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_4e19ca07bc1e6582db3b9e49c8d49d81_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5fa034a0ff77c775c3a90dd83a2e5e81f
SHA18a09b06dc4e228fa47cb273f8fc6c4052db4c996
SHA256f7e333041d7236c499b5a5eb288225fcab609d65393a8c4905200c199d6f326a
SHA512242c02038cc641ee9215f1ef0d1e959f0a647644660d1560699742f29099d8572afcee20206b271615b9054e26932fa3ff659b6a4db7f63aff2bd7f48fc2f07b