Analysis
-
max time kernel
180s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 12:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe
-
Size
67KB
-
MD5
699a61ce52dfd297f0d6de546e3a3d38
-
SHA1
194a1cd9d4f485e0e431bd14fd131fa5f1f1abaf
-
SHA256
071165a2122c9b03ee606c7e72dcb6e6f0632a1ff2a6fd6ed3493fd0ce7a85fc
-
SHA512
f16167522156fa28cde50ebefacfae110701987ba71f89fefa3da6cbfad82eeaa88c1b5b53d37462876e3b342d30ab7260f7e60838a23da33c9a5fd7eed13115
-
SSDEEP
768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUNsYD/6:i5nkFGMOtEvwDpjNbwQEI8UZDC
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x0009000000012265-11.dat CryptoLocker_rule2 behavioral1/memory/2708-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2104-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2708-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral1/memory/2708-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2104-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2708-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral1/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000012265-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2708-16-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2104-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2708-26-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 2708 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2708 2104 2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe 29 PID 2104 wrote to memory of 2708 2104 2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe 29 PID 2104 wrote to memory of 2708 2104 2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe 29 PID 2104 wrote to memory of 2708 2104 2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-19_699a61ce52dfd297f0d6de546e3a3d38_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2708
-
Network
-
Remote address:8.8.8.8:53Requestbestccc.comIN AResponsebestccc.comIN A103.14.121.240
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5aba3634f5a1f266cd2741ad4ab174cf4
SHA115a8bef2bc6f4f9d90c7e9d86e7cc8256c988b4b
SHA25616490404c2055293573edae2fddbb1659dfccbef8b33c692b617409aed385aba
SHA5120a60346019e70ab5290ccc6ecacc5b81821ee60f25dd6d1f03d898469b7f17a45d55e2f7bbb65e7d59aab80cb8c17631352d2f3c07cf87177903fc791a2e921b