Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
-
Size
42KB
-
MD5
0c31db75f9f138f8c9e14f9d6d0adec6
-
SHA1
e182c00de0c7096881b4ce96c77103fc12c84dfe
-
SHA256
bfef30c36f49ce4ddd80ff387adebc3a0e4bac4c9ff2b496b08c8bc8ca738476
-
SHA512
b5a5602be5be7bf0dd348d9ba92b925534a69fe320d8354c9f1b81a95ab3e4ff9237ecda416d978a8c7600440915a538aa164ee48c7c7fe6bc3ff0ab87de5d34
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9m:X6QFElP6n+gJQMOtEvwDpjBmzDkWDA
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 1972 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exepid process 2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exedescription pid process target process PID 2032 wrote to memory of 1972 2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe asih.exe PID 2032 wrote to memory of 1972 2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe asih.exe PID 2032 wrote to memory of 1972 2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe asih.exe PID 2032 wrote to memory of 1972 2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
42KB
MD58e87b4bb6e05519b6037127b4fce2fc2
SHA138d1d3dae3e5ef3d2054033eea1a97d324102a78
SHA256516dcf1d55eb2cb889165c73ea6418f2886ee237d773b8b7919b473c80170965
SHA512d671e769e9ab3e965ba1e2d4df8f04f776bf42f600dc83a8ae910df945317412fd67c97baeb1ff238ea93ff5b7fa25ec01eca05cd746e160014d2d5ce0726808
-
memory/1972-22-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/1972-15-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/2032-0-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/2032-1-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/2032-2-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB