Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
-
Size
85KB
-
MD5
d1fdbf77257065578e7ad01294b55392
-
SHA1
ff27d56b600945b50a52f63f5cbd4b924f035eff
-
SHA256
1fbc7b57c4b9f1ae614895cbc6e124c8e5c718d150e9a44c33ae7a2e6429c1ed
-
SHA512
4899ff60eb66bfbd5e562e3e7ef308557285be27000e53428e7f2f65bdfa92e21c49f0774f8658a3fa88e88627c9dbd44dabaa7bf81d19ccaf812ae579089be6
-
SSDEEP
768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLa5VccPtNw5CS95yFPnYcU:V6QFElP6n+gMQMOtEvwDpjyaLccVNl6X
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2564 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exepid process 2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exedescription pid process target process PID 2684 wrote to memory of 2564 2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe asih.exe PID 2684 wrote to memory of 2564 2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe asih.exe PID 2684 wrote to memory of 2564 2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe asih.exe PID 2684 wrote to memory of 2564 2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
86KB
MD5a83392244835386034a584b0940ddf79
SHA1363627dc30ef6374acde485f71c157a0cdebc56f
SHA25649b64751e1c3e1f9fedac0bd6d10d3cd50f0272db99782d004736e2a4f5e9d16
SHA512b309c6553acf1de09f6825aa649be458427c78079288d6e32573057b5b9e7fb6270d60b1e64867003aa593ac60432a9345611515943711f8b0f5b3f27c0d7b1a
-
memory/2564-22-0x0000000000420000-0x0000000000426000-memory.dmpFilesize
24KB
-
memory/2684-0-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/2684-8-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/2684-1-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB