Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
-
Size
42KB
-
MD5
1fdbddfc21d9aff1fd3b110abdb1a0bc
-
SHA1
8d895081f2ee9da51f8d090c3b2469be017c054d
-
SHA256
de48daa26ab9bef1f1f24fc4436f58d8d266462ef542bb718b577d5724f664fe
-
SHA512
b0456099efc30e6f8347adc829b15dabcaaa3f37c967e4eefb562e10d697304cd3577e54866ea2e607ab4aba1792d8f24ec249f586434dd7acdcf3158d0a2412
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9o:X6QFElP6n+gJQMOtEvwDpjBmzDkWD+
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2564 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exepid process 1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exedescription pid process target process PID 1760 wrote to memory of 2564 1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe PID 1760 wrote to memory of 2564 1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe PID 1760 wrote to memory of 2564 1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe PID 1760 wrote to memory of 2564 1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
42KB
MD5f1a367238a8936d47ba5842b075c9859
SHA17839a13579685beabcc6ef86a4e40363296bbe28
SHA256ad90a54109889f75db3629bf9e9375449cd9e9377f700f03d87a73e262580cf8
SHA51271f4eaa18cc482f0a864efa5e25e2c038622eeb8b88374c15197d82f4d9309f4277c777bb3004a08c7eb8b06a87a74160d54a53e55e86b520a5065a1564e74da
-
memory/1760-8-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/1760-1-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB
-
memory/1760-0-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/2564-15-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/2564-22-0x00000000001E0000-0x00000000001E6000-memory.dmpFilesize
24KB