Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe
-
Size
56KB
-
MD5
f983d830504971e1cbe26fee76c72eae
-
SHA1
e01a975f44528c29f815434668af952f37f970f0
-
SHA256
5473ec69d0449741a5b77601b46a4cc97d49644abddf8c73f039d7efbd51461d
-
SHA512
42c33a1b21b06ccf693ac30eaf7363c0ebb0fdccc65c05b4ba57d8266d6fb1d9c6d571d2bc77daaab9a35808b97a923aa9b7eb491f66e41d4940bb0c42233361
-
SSDEEP
1536:qmbhXDmjr5MOtEvwDpj5cDtKkQZQRKb616n:BbdDmjr+OtEvwDpjMS
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/1404-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1404-14-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000800000001227d-11.dat CryptoLocker_rule2 behavioral1/memory/2468-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2468-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral1/memory/1404-14-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2468-17-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/2468-27-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/1404-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/1404-14-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x000800000001227d-11.dat UPX behavioral1/memory/2468-17-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/2468-27-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2468 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1404 2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2468 1404 2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe 28 PID 1404 wrote to memory of 2468 1404 2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe 28 PID 1404 wrote to memory of 2468 1404 2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe 28 PID 1404 wrote to memory of 2468 1404 2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-26_f983d830504971e1cbe26fee76c72eae_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD50e66850bb1134ab611fb4c62b4dcbbba
SHA1073aa122b81a9a7ea24298fc98cdc0ff99ff6f8c
SHA25609ab16f9306a48eb512f52a361b80c93d441ed178535966f8a9d26bb032e0c8e
SHA512403dcfd0da93b85d57b991f77ad7e76cd4bcd56c650b05679f7e7ae4b94f796589664fc72dda0da2d929aadb069f308c6d1468bba8c4b9a63b8bc0f46c7fcdae