Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe
-
Size
78KB
-
MD5
bc3c7b14f589d2828611c67bf9b8dbec
-
SHA1
dfbd3b95f7d1f0d98655e28c02030f7a11490269
-
SHA256
84980547423b4cd6e04b1116c90f8a63557e0e43bd40e2597b2cd83b38225eea
-
SHA512
c77a5bea0b4ef796c8915e00a299a8bb75e7a3859ab85121cc75bda5eda2a3261dc86945fa58d4f9735f24f51e02d8ce9da51bc7af4a570e5e2510469c256b80
-
SSDEEP
1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KUYZ:ZVxkGOtEvwDpjca2
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
misid.exepid process 2516 misid.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exepid process 2456 2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exedescription pid process target process PID 2456 wrote to memory of 2516 2456 2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe misid.exe PID 2456 wrote to memory of 2516 2456 2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe misid.exe PID 2456 wrote to memory of 2516 2456 2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe misid.exe PID 2456 wrote to memory of 2516 2456 2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe misid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_bc3c7b14f589d2828611c67bf9b8dbec_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\misid.exeFilesize
78KB
MD5a88670430839bf1ca0872f876fe82f84
SHA113470c32ef08281101c140588642921fd4c5a593
SHA256435eed41226328733c18be9dd317ea14d4aabc73871eac287202d79c7c45421e
SHA512946cf35f94fe3e76e42d33c1e52e654685e4a0d0a219ce950e18de99be37b99a49e3f59c98419f709d55dc7ae0165e785bd01cd12701b3ad40393572dda8b34b
-
memory/2456-1-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/2456-0-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/2456-2-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/2456-3-0x0000000000470000-0x0000000000476000-memory.dmpFilesize
24KB
-
memory/2516-16-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/2516-23-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/2516-24-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB