Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
d370b7eb89b4b846814e2f401e6fd2da.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d370b7eb89b4b846814e2f401e6fd2da.exe
Resource
win10v2004-20240226-en
General
-
Target
d370b7eb89b4b846814e2f401e6fd2da.exe
-
Size
422KB
-
MD5
d370b7eb89b4b846814e2f401e6fd2da
-
SHA1
760fb2ffcbc2cad49311c41b36738077cf2a571b
-
SHA256
800f1c7492fca5c04c332059f3fdb39970ce07e1cc5f5b9e8e2651492057587d
-
SHA512
d9dfda95f316a1c6dd8aaa63481417cd99b552dde6bec061ee7b88b9f0eb9f2adcae3c098d7eb88a9b0c26db829d1ca2b84fc18c64ffdbc77fe104386b1f73b3
-
SSDEEP
6144:gWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC/mSAg:gWkEuCaNT85I2vCMX5l+ZRvim8
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
pid Process 628 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 2 IoCs
pid Process 628 {34184A33-0407-212E-3320-09040709E2C2}.exe 3012 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Loads dropped DLL 2 IoCs
pid Process 2028 d370b7eb89b4b846814e2f401e6fd2da.exe 628 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2028 wrote to memory of 628 2028 d370b7eb89b4b846814e2f401e6fd2da.exe 28 PID 2028 wrote to memory of 628 2028 d370b7eb89b4b846814e2f401e6fd2da.exe 28 PID 2028 wrote to memory of 628 2028 d370b7eb89b4b846814e2f401e6fd2da.exe 28 PID 2028 wrote to memory of 628 2028 d370b7eb89b4b846814e2f401e6fd2da.exe 28 PID 628 wrote to memory of 3012 628 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 628 wrote to memory of 3012 628 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 628 wrote to memory of 3012 628 {34184A33-0407-212E-3320-09040709E2C2}.exe 29 PID 628 wrote to memory of 3012 628 {34184A33-0407-212E-3320-09040709E2C2}.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d370b7eb89b4b846814e2f401e6fd2da.exe"C:\Users\Admin\AppData\Local\Temp\d370b7eb89b4b846814e2f401e6fd2da.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\d370b7eb89b4b846814e2f401e6fd2da.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C83⤵
- Executes dropped EXE
PID:3012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
422KB
MD5d370b7eb89b4b846814e2f401e6fd2da
SHA1760fb2ffcbc2cad49311c41b36738077cf2a571b
SHA256800f1c7492fca5c04c332059f3fdb39970ce07e1cc5f5b9e8e2651492057587d
SHA512d9dfda95f316a1c6dd8aaa63481417cd99b552dde6bec061ee7b88b9f0eb9f2adcae3c098d7eb88a9b0c26db829d1ca2b84fc18c64ffdbc77fe104386b1f73b3