Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
e83149488595683e0c78febb79881ed5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e83149488595683e0c78febb79881ed5.exe
Resource
win10v2004-20240226-en
General
-
Target
e83149488595683e0c78febb79881ed5.exe
-
Size
390KB
-
MD5
e83149488595683e0c78febb79881ed5
-
SHA1
32d867c375c50d906c4a5d08f8bd96012548ecde
-
SHA256
9345dca87ef550116e235df4675ffd44110d5c6060c5bc0e100c1d1c279d5e8e
-
SHA512
12e16991a414d3eb4b1a961f18548b6dd0b052767b253b33a63f646b904a41940ad9cfeca7b9028e224e42be3cf1982ce21a0899e420717b84d31b4429e415ce
-
SSDEEP
6144:oWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvCPD4SsSOg:oWkEuCaNT85I2vCMX5l+ZRv//G
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
pid Process 5016 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Executes dropped EXE 2 IoCs
pid Process 5016 {34184A33-0407-212E-3320-09040709E2C2}.exe 3244 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 548 wrote to memory of 5016 548 e83149488595683e0c78febb79881ed5.exe 94 PID 548 wrote to memory of 5016 548 e83149488595683e0c78febb79881ed5.exe 94 PID 548 wrote to memory of 5016 548 e83149488595683e0c78febb79881ed5.exe 94 PID 5016 wrote to memory of 3244 5016 {34184A33-0407-212E-3320-09040709E2C2}.exe 95 PID 5016 wrote to memory of 3244 5016 {34184A33-0407-212E-3320-09040709E2C2}.exe 95 PID 5016 wrote to memory of 3244 5016 {34184A33-0407-212E-3320-09040709E2C2}.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83149488595683e0c78febb79881ed5.exe"C:\Users\Admin\AppData\Local\Temp\e83149488595683e0c78febb79881ed5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\e83149488595683e0c78febb79881ed5.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002203⤵
- Executes dropped EXE
PID:3244
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:81⤵PID:4092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD5e83149488595683e0c78febb79881ed5
SHA132d867c375c50d906c4a5d08f8bd96012548ecde
SHA2569345dca87ef550116e235df4675ffd44110d5c6060c5bc0e100c1d1c279d5e8e
SHA51212e16991a414d3eb4b1a961f18548b6dd0b052767b253b33a63f646b904a41940ad9cfeca7b9028e224e42be3cf1982ce21a0899e420717b84d31b4429e415ce