Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
-
Size
84KB
-
MD5
b3ba0acdc18155980e29b9ceb79f3953
-
SHA1
710dac50cc9a1b07294c72fbc9a1d6d9c6f355f4
-
SHA256
93286db839e47c53d166e7a980cf0fe75183dc68af5754635be6d005a39a7ce9
-
SHA512
6154f470ea02fa513254df249df6c528f94bfcf87b65121fcdb8f1c9104fc0df0d8c75585617e04e93726b1b8077520d9c2832e3cf35d1be74037a04b62411d0
-
SSDEEP
1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfWafHNBH:vCjsIOtEvwDpj5H9YvQd2v
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
misid.exepid process 1996 misid.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exepid process 2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exedescription pid process target process PID 2824 wrote to memory of 1996 2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe misid.exe PID 2824 wrote to memory of 1996 2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe misid.exe PID 2824 wrote to memory of 1996 2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe misid.exe PID 2824 wrote to memory of 1996 2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe misid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\misid.exeFilesize
84KB
MD586bb4bb5b76b5657161973d2e13a63b7
SHA18e82d1a5912023780245b14a7e1a7d13814c4c74
SHA256400a825e6506744b6122bea932445574609e1ef4a4736de2da173a07ec4b0b2c
SHA5126e5b3b4fc8ba6b57a1ff623b05774922f06454f3626fc1ab499263ad4f17c12f6f9051bafd46a5db63dd5381d7488415e06f89bb3f0b3672498932f85115c596
-
memory/1996-15-0x00000000004A0000-0x00000000004A6000-memory.dmpFilesize
24KB
-
memory/1996-22-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/2824-0-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB
-
memory/2824-1-0x0000000001CA0000-0x0000000001CA6000-memory.dmpFilesize
24KB
-
memory/2824-8-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB