Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
e256554751f567643b949445307bbbd4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e256554751f567643b949445307bbbd4.exe
Resource
win10v2004-20240226-en
General
-
Target
e256554751f567643b949445307bbbd4.exe
-
Size
404KB
-
MD5
e256554751f567643b949445307bbbd4
-
SHA1
a3ec05323d9c7ed51868615f46449818dd69201c
-
SHA256
6b14c5898323db58c5ff44149f65fc99b04924ba76dac72c18872e53d4829af9
-
SHA512
a1dfafb2a9229e42e30a794cac4bcc89e7007487b93d262779f1f076c80c7d0752fc910e7bc3ceee70443902cc169b3dc835cb02267ca8490620fa7ebf1bab5e
-
SSDEEP
6144:HWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCGJdZ3:HWkEuCaNT85I2vCMX5l+ZRvJdZ3
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
pid Process 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 2 IoCs
pid Process 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe 2828 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 e256554751f567643b949445307bbbd4.exe 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2864 2648 e256554751f567643b949445307bbbd4.exe 28 PID 2648 wrote to memory of 2864 2648 e256554751f567643b949445307bbbd4.exe 28 PID 2648 wrote to memory of 2864 2648 e256554751f567643b949445307bbbd4.exe 28 PID 2648 wrote to memory of 2864 2648 e256554751f567643b949445307bbbd4.exe 28 PID 2864 wrote to memory of 2828 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2864 wrote to memory of 2828 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2864 wrote to memory of 2828 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2864 wrote to memory of 2828 2864 {34184A33-0407-212E-3320-09040709E2C2}.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e256554751f567643b949445307bbbd4.exe"C:\Users\Admin\AppData\Local\Temp\e256554751f567643b949445307bbbd4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\e256554751f567643b949445307bbbd4.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C83⤵
- Executes dropped EXE
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD5e256554751f567643b949445307bbbd4
SHA1a3ec05323d9c7ed51868615f46449818dd69201c
SHA2566b14c5898323db58c5ff44149f65fc99b04924ba76dac72c18872e53d4829af9
SHA512a1dfafb2a9229e42e30a794cac4bcc89e7007487b93d262779f1f076c80c7d0752fc910e7bc3ceee70443902cc169b3dc835cb02267ca8490620fa7ebf1bab5e