Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
d15685fbb5e5e45d4f9d31078268f345.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d15685fbb5e5e45d4f9d31078268f345.exe
Resource
win10v2004-20240226-en
General
-
Target
d15685fbb5e5e45d4f9d31078268f345.exe
-
Size
390KB
-
MD5
d15685fbb5e5e45d4f9d31078268f345
-
SHA1
9551d766b07a5a8e98146bc91473eb027dc0968c
-
SHA256
6ce538003451f172118e593922997afb745a618aad609b010224278e6d262091
-
SHA512
c4c768d8bb2af978ccaaf62e6cdbdd1e8c524a678929a064017e5b9a9b178d4430a76ac19d569e6849f300b13aa97f6b8d08d573f5fdd4e74793d02573dd5455
-
SSDEEP
6144:rWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCJS9SGg:rWkEuCaNT85I2vCMX5l+ZRvqKK
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
pid Process 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 2 IoCs
pid Process 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe 1872 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Loads dropped DLL 2 IoCs
pid Process 2220 d15685fbb5e5e45d4f9d31078268f345.exe 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2800 2220 d15685fbb5e5e45d4f9d31078268f345.exe 28 PID 2220 wrote to memory of 2800 2220 d15685fbb5e5e45d4f9d31078268f345.exe 28 PID 2220 wrote to memory of 2800 2220 d15685fbb5e5e45d4f9d31078268f345.exe 28 PID 2220 wrote to memory of 2800 2220 d15685fbb5e5e45d4f9d31078268f345.exe 28 PID 2800 wrote to memory of 1872 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2800 wrote to memory of 1872 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2800 wrote to memory of 1872 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 2800 wrote to memory of 1872 2800 {34184A33-0407-212E-3320-09040709E2C2}.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15685fbb5e5e45d4f9d31078268f345.exe"C:\Users\Admin\AppData\Local\Temp\d15685fbb5e5e45d4f9d31078268f345.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\d15685fbb5e5e45d4f9d31078268f345.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C83⤵
- Executes dropped EXE
PID:1872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD5d15685fbb5e5e45d4f9d31078268f345
SHA19551d766b07a5a8e98146bc91473eb027dc0968c
SHA2566ce538003451f172118e593922997afb745a618aad609b010224278e6d262091
SHA512c4c768d8bb2af978ccaaf62e6cdbdd1e8c524a678929a064017e5b9a9b178d4430a76ac19d569e6849f300b13aa97f6b8d08d573f5fdd4e74793d02573dd5455