Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe
-
Size
37KB
-
MD5
70d53404451461adaa8f39bccccfcf38
-
SHA1
17a89044610d5dde3caf675d8502c410b617903a
-
SHA256
660cf5e5ce9c8537f309e92634ce06b739c14c71f79c908a826b85760c365187
-
SHA512
4019efeea2aa3c738222d5c8cc9d53e0959e3987376dc946e5e1bdc052468cbcd184ce5b1a28e96b2d16f28875548696f6e5d841015d837b3b7c63dabfd93965
-
SSDEEP
768:fTz7y3lhsT+hs1SQtOOtEvwDpjfAu9+4C:fT+hsMQMOtEvwDpjoIHC
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000b000000014b31-10.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral1/files/0x000b000000014b31-10.dat CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 1940 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1276 2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1940 1276 2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe 28 PID 1276 wrote to memory of 1940 1276 2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe 28 PID 1276 wrote to memory of 1940 1276 2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe 28 PID 1276 wrote to memory of 1940 1276 2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_70d53404451461adaa8f39bccccfcf38_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5b6dc8d90732115f4c230aab9b4664662
SHA1632bf3c3e6f6df9fd5c7859e83eea9bcac0f28bd
SHA256f8aaca7ffde765019bdce506f0936fb5b4bcb4655fb3605b6e53613f9e066e4c
SHA51259033f2323ce4ae01a49fa0581a998a99dfd4f5627ca30c2f96c455b4173530158aafb9397b26a439c167ca044b05676b6abdf1da6087b3e9696d1e3aedf4831