Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe
-
Size
97KB
-
MD5
3f31ee8ad8da4b9ad77aca3bdc43e50a
-
SHA1
786dee5b0aab2e731bdd6ed07c78bcc345a36e79
-
SHA256
a4f26a6d972545b039a5db14641024117369b275a42ded73854706d73ba6dd23
-
SHA512
410735b5dc78f2de07bb2759c10158b7fc91bf53a1df4c7512e3aee4ef767458c11f7de828464bf5e833ac3b41d0f84718b6c982683b9165e82a622c5f8658d4
-
SSDEEP
1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgp0A:V6a+pOtEvwDpjtzo
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 2032 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exepid process 1652 2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exedescription pid process target process PID 1652 wrote to memory of 2032 1652 2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe asih.exe PID 1652 wrote to memory of 2032 1652 2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe asih.exe PID 1652 wrote to memory of 2032 1652 2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe asih.exe PID 1652 wrote to memory of 2032 1652 2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_3f31ee8ad8da4b9ad77aca3bdc43e50a_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\asih.exeFilesize
97KB
MD59c15121070bfe18bbb6971900b3e57a5
SHA18024d61d17f64ff464962689b2f5cd4cf792bb9e
SHA25657c3c6eb05a9cdf06f523fd14b2499d4a0c77d3fb9a9c8e88c44fc9c560c93cb
SHA512e1dcda6c2be56972093d2517e04d237bcca54214bba1aa7a4b0021eeefb72bafd5f452dd49dfb2f900f7103a2156f04d534da2e1038bd4f7f3e4b3b737f400ae
-
memory/1652-1-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/1652-0-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/1652-8-0x00000000002C0000-0x00000000002C6000-memory.dmpFilesize
24KB
-
memory/2032-15-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB