Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-02-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe
-
Size
31KB
-
MD5
3bbabf942d024ceafb7e928294aaedb1
-
SHA1
eab91e4461a95b4e23259118902204da045f11bf
-
SHA256
4b5b3c310b1a7ab788699a8761d01f40c5720cb32b7ddb005724767d6cedf4b2
-
SHA512
a7be4d3775b6100be9986362ed5c1ea9e44f7d287270741491583f0f2c2ab1d99e9d2c01b16dc66e79324b962ea5ce1b493db28566ee91a1eacd04d294b0f5fa
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJ/Tl+bltoGAz3:bA74zYcgT/Ekd0ryfjQRSlwltcz3
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x0009000000012252-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2696 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 2400 2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2696 2400 2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe 28 PID 2400 wrote to memory of 2696 2400 2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe 28 PID 2400 wrote to memory of 2696 2400 2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe 28 PID 2400 wrote to memory of 2696 2400 2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_3bbabf942d024ceafb7e928294aaedb1_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD50d89f111525dbb513c0af1189129ae78
SHA1591f90af2cddc71672519267099d906dd933bfb4
SHA256c5c3249d6dd56c82cdb9aa1c1da28218f8607791a45185d3ebc5239e5b88b2f8
SHA5128e4ffc3ebb256c8cb32913c7b8b85fd76a0eabfa7b2da7623e7ee44306b367ea4f39da4d203a288fa7df59619faed1312679dcdac7324148dc9f74b1f41cc681