Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe
-
Size
70KB
-
MD5
e8c52606abbc65b1ce26c9b84ac8e97c
-
SHA1
8e6cd470cc56f18b39f6dece93f3d7ea7a892a85
-
SHA256
99ef1b2e3a71100f713398c07b18c871ae5c5705648978808c3adfab53046d16
-
SHA512
648a5d36e5d8428554353e5e012288ed7040870c9f57e0a7ad3fab5328616233459cb59ca8aef8d094815748e3df3d7f2ca1ec2974cf11decc65eda78078b24b
-
SSDEEP
768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4ZPsED3VK2+ZtyOjgO4r9vFAg2rq2g1B/Ro:vj+jsMQMOtEvwDpj5HZYTjipvF24Q
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
misid.exepid process 1028 misid.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exepid process 2232 2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exedescription pid process target process PID 2232 wrote to memory of 1028 2232 2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe misid.exe PID 2232 wrote to memory of 1028 2232 2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe misid.exe PID 2232 wrote to memory of 1028 2232 2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe misid.exe PID 2232 wrote to memory of 1028 2232 2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe misid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_e8c52606abbc65b1ce26c9b84ac8e97c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD59a1d866ff7426f129c7ea228a64ef0b4
SHA17115c56b15b4e41fc5a22b9a7165928bf821204a
SHA256e121a7ab5bb8a09a10918d205c924923025bf5da2b10d4c34fb75806bb8e35fc
SHA5121ee14a967319a8fec0031e2dd910d0d51bff8c50abb333182183cd0ee90af7420525d253a98dac1952feda144284406f86bff5a32789914e1bdeb06544b937ab