Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe
-
Size
37KB
-
MD5
5dde0a380d252e4e51272f8754a983e1
-
SHA1
dae1b1c82a1c2d7ca421d1c5ba3879f2f35dc275
-
SHA256
f11ccb535657b25fc559bcf11c2651656715176528478f1a0eca0f2053fca469
-
SHA512
ac029ea5a14cfc9adb816ace9959d85c91ec521e7d90af8d702c545b5962660221202305d4e656e23c2e1c115cd15d05991041d87bbb1f16ad4f2fecbf068a66
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6luXIy:bA74zYcgT/Ekd0ryfjPIunqpeNswmNXJ
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000900000001225b-10.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2932 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 2156 2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2932 2156 2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe 28 PID 2156 wrote to memory of 2932 2156 2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe 28 PID 2156 wrote to memory of 2932 2156 2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe 28 PID 2156 wrote to memory of 2932 2156 2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-15_5dde0a380d252e4e51272f8754a983e1_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5d9cd407afa65af131dd71bf0bab20f5c
SHA185b8f502e2efb24e303530c9387d65f54cc3b115
SHA256bbc0f1e2107bd1e15f111fe456cf5a7a4a53d53063f19859dc08545d5141a728
SHA512a22249ac5c5a19d656bd66e301a48d95628e8e1841ff345821082db9293b4821ecdc170a5cf712b7dd8a79e7be7a72f53f77abd0ce493b2e89e3071685178e65