Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 23:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe
-
Size
95KB
-
MD5
b8b024ebee3091e7c110192cb31533c9
-
SHA1
8b0ba9253db9385653f37bc88048c93616ee803d
-
SHA256
0a9ed95dd8528834238f3f34b9fba863079ac4f51bc7c3198fddb1b10a32fcf2
-
SHA512
d978ea29c0645eb8db2bc7cce9f4d6ce28e0c05dc3a77a63caba9d2b335b2d4d46decfd89d0337716960f4860861b6b3a6f8e0414ecccddfe9440bbd3e279603
-
SSDEEP
1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwMgYj:V6a+pOtEvwDpjtzI
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2680 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exepid process 936 2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exedescription pid process target process PID 936 wrote to memory of 2680 936 2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe asih.exe PID 936 wrote to memory of 2680 936 2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe asih.exe PID 936 wrote to memory of 2680 936 2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe asih.exe PID 936 wrote to memory of 2680 936 2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_b8b024ebee3091e7c110192cb31533c9_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
95KB
MD5bb040347ad0c3ff7eae3a4fca46b3d3d
SHA15d451ed0010fb0089cf7df50668e95a039829091
SHA2567dd0864a42d0033b4129a9a716afe7e4c24208a616c78d02639aad8122d1cc00
SHA51291c39e6b1d362078492c5797dca6054cca6ad550f9987beee2eeba2edd2a1e7fa4d6e3868ef98ae743203bce22188249b48af0dcf239a32bfcb399e50c51f017
-
memory/936-0-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/936-1-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/936-8-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/2680-15-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/2680-22-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB