Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe
-
Size
40KB
-
MD5
ef5afb4aab095b643f25cd4d9db6649f
-
SHA1
4f4be4d59f3d632d44e62ec47cbbef8e3be0f22c
-
SHA256
37ed7b2afe5cc070f4227a51f5b2f13f2b2d75d149ea4e5e4e5dd6aa45e85acf
-
SHA512
ca8e3c1727445395ae71b44cecd79b1b9c20a9eaa974f08326aa311793dabc8f124f8265c2974cb53c4d7d8aa2414ff396960e4fab4c372859131df2a7eaaa35
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLeJAsKuDkP:ZzFbxmLPWQMOtEvwDpjLeJAsKc0
Malware Config
Signatures
-
Detection of CryptoLocker Variants 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\misid.exe CryptoLocker_rule2 behavioral1/memory/940-24-0x0000000000230000-0x0000000000236000-memory.dmp CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
Processes:
misid.exepid process 940 misid.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exepid process 2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exedescription pid process target process PID 2188 wrote to memory of 940 2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe misid.exe PID 2188 wrote to memory of 940 2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe misid.exe PID 2188 wrote to memory of 940 2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe misid.exe PID 2188 wrote to memory of 940 2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe misid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\misid.exeFilesize
41KB
MD5fca5fdf1e09ad586e58ca2169e175941
SHA116883b8d9734a20634c5cb79e5b7a6ca095b4971
SHA2568904d11a4cab741030c19ec910d2032bf0296f07b5d1e89f354df85edef7028b
SHA5121be5ad99d0a900aeb5707c38bcdacf24f64a45e3bedc8d62dab3c2b876639a3facb92ed29db6b3cd84d8f025eb6727000076b08a17a368054da53cc2a468a021
-
memory/940-16-0x0000000000470000-0x0000000000476000-memory.dmpFilesize
24KB
-
memory/940-23-0x0000000000440000-0x0000000000446000-memory.dmpFilesize
24KB
-
memory/940-24-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/2188-0-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/2188-1-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/2188-2-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/2188-9-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB