Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 19:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe
-
Size
43KB
-
MD5
586fcc823f3666e62a109f5b3d7046f0
-
SHA1
a9122c79728c9fcdbf1c50f3707fda95f7a10d6f
-
SHA256
11ec6cd792a9b9056e244cb9b5c986f88799265cecf7d0aae194cf58fbccfa82
-
SHA512
75514f6e2f3bcdbbf3e38a98c0a357cc1aef80fcc25370e6f7d002c4ef6e47a6790cbc2cf14ef17711457dd2642d7a31aaf8729f02ec95c985bceae6d69c37ae
-
SSDEEP
768:TS5nQJ24LR7tOOtEvwDpjGqPhqlcnvhx5/xFRp5jRL:m5nkFNMOtEvwDpjG8hhXj5h
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral2/memory/1696-0-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000c000000023b54-13.dat CryptoLocker_rule2 behavioral2/memory/1696-17-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_rule2 behavioral2/memory/1356-18-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_rule2 behavioral2/memory/1356-27-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 3 IoCs
resource yara_rule behavioral2/memory/1696-17-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_set1 behavioral2/memory/1356-18-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_set1 behavioral2/memory/1356-27-0x0000000000500000-0x000000000050E000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral2/memory/1696-0-0x0000000000500000-0x000000000050E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000c000000023b54-13.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1696-17-0x0000000000500000-0x000000000050E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1356-18-0x0000000000500000-0x000000000050E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1356-27-0x0000000000500000-0x000000000050E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1356 misid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1356 1696 2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe 84 PID 1696 wrote to memory of 1356 1696 2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe 84 PID 1696 wrote to memory of 1356 1696 2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-29_586fcc823f3666e62a109f5b3d7046f0_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD54782e1573b8d618da2e4687cfe3b8574
SHA1b2c62e9bfdcbe75dbe512d781f1a6c8105807910
SHA256c98d4f73ac1df7dad18a8f2dfa498fd63411fe7eaa4faee47f06c28e84998baf
SHA5120ea8bb8158f04f97cabf93f1868226e7b849fb5df27f5bbc7ad8d3d21d2c6cdba33c30b348bef6b7872af50514649083813cbd674afb5ce62804d60b2b87f674