Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-02-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe
-
Size
34KB
-
MD5
2143481eab83e07a291850099fe1c104
-
SHA1
9db5987590aa9987c92c17697f4f7c8103849dd1
-
SHA256
51a4341ce43d90df56468a4a2764fab298f5256312ffee16e80867528f335fd3
-
SHA512
3080002bba98e59ebda6a74fe0e1b0ae28640fe9f7aede84228503dca70c39afe1f9c301d52bb2a3a782ce2b34b2cc7364dc4eaca49c4f33790f34d8007b1bcb
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUqMV6U8zKvGaLigYdO:bA74zYcgT/Ekd0ryfj86U8zbUYdO
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x0009000000014a5b-13.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 1968 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 776 2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 776 wrote to memory of 1968 776 2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe 28 PID 776 wrote to memory of 1968 776 2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe 28 PID 776 wrote to memory of 1968 776 2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe 28 PID 776 wrote to memory of 1968 776 2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_2143481eab83e07a291850099fe1c104_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5d072812228e71236e81e2a44193f5902
SHA1b4d7f1639f3833e0aba89ae0120d781440e6d9f3
SHA2562d1a7d8ac358ecdbd3bdd85650421848ef5d59ca3dcf37ee65381a98e97f8742
SHA51245dc7d6564f34e7dc9bba0589561172de1468d7a2f7dc135dec514aaabd781791a393f6665286b72d0bc9061d903082ece34193135edeb140ed8da5a906a2766