Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe
-
Size
46KB
-
MD5
da176fda146dda66456b2c20e3f89c7b
-
SHA1
6ac3ccec0b5098151504263f101cb41726567857
-
SHA256
dd9a6ab0da53fdc0dc788094411b412bb2213845a984f46c691c7883397ce849
-
SHA512
7158f591c06061f50282b28bbf8235cc375f5636be5ea1f9cffcc48753f6b868f27ba5e14aa6d7f12a9a510340a26fda696c471daeef7b87f5bf104878712c1a
-
SSDEEP
768:qmOKYQDf5XdrDmjr5tOOtEvwDpjAajFEitQbDmoSQCVUBJUkQqAHBIG05W2Mobez:qmbhXDmjr5MOtEvwDpj5cDtKkQZQG
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/1048-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000a00000001224c-11.dat CryptoLocker_rule2 behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/1048-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x000a00000001224c-11.dat UPX behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2612 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1048 2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2612 1048 2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe 28 PID 1048 wrote to memory of 2612 1048 2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe 28 PID 1048 wrote to memory of 2612 1048 2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe 28 PID 1048 wrote to memory of 2612 1048 2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5b02c9b8cb26e19fcbcf10c66622c91e9
SHA1feb28c0ddd1044740e79c2fffd5edd37a6353cc8
SHA256955ac69bc1d68c29c4f80af8ffd58b37c69dddfaaf1739df9b2c789433e54c59
SHA51262c15dc20827db3288ce0281daefc1453864466aa5541c55c1c02af7d23a9fa8c3ca216f919ec9841ff6151da4213d21ab08a6c64b842181db3c992d5f841e24