Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe
-
Size
73KB
-
MD5
a1fc8ceab3238833cd2bf55b4778692a
-
SHA1
18b712ce58ca3ac702306877e179e4d724305c51
-
SHA256
9ac34500454ef98cf38da10d390dd2a7be3d873a07e626cbfeaa000cb0abaaae
-
SHA512
b3df950fab3ba43a0d60c602ced85d298ad840ec00a7b22d85051e861d9ed978a39cb46dd4fae66074a77e6cb2c7533f6d5018c91644ca4e5e43dede4a6f8ef6
-
SSDEEP
768:u6LsoEEeegiZPvEhHSG+gZgtOOtEvwDpjeY10Y/YMsu:u6QFElP6n+gWMOtEvwDpjJGYQbu
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 3004 asih.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exepid process 2252 2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exedescription pid process target process PID 2252 wrote to memory of 3004 2252 2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe asih.exe PID 2252 wrote to memory of 3004 2252 2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe asih.exe PID 2252 wrote to memory of 3004 2252 2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe asih.exe PID 2252 wrote to memory of 3004 2252 2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_a1fc8ceab3238833cd2bf55b4778692a_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\asih.exeFilesize
73KB
MD5202c81b2f5ead6aa4108a7b369f02942
SHA1cebe53438d63a1d45fadcb1f8c885cdd2719cb79
SHA25643eeb1222d38e1a55cc8acf026d5d961accee488ec31001c5a597c8cadf5fcae
SHA512b74ecfac9c092e4b66d72f93b3fb1d3407246667865d46e67d2af610d07479cdca3c81a9064ba38c92a7bf0b13ae9eb52f0ba12ff91c98117965a0d6761d30bf
-
memory/2252-0-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/2252-1-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/2252-8-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/3004-22-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/3004-15-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB