Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 21:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe
-
Size
40KB
-
MD5
222652fcaefb01b206ee441deda1d067
-
SHA1
e7bc47738704de219d0e6622b9d1efeb2c2eba08
-
SHA256
d343832e46d112249d76aa440370531e1e6750f199edc361769e3df69527180e
-
SHA512
7d2e9625563635e63a0c264732b5738d176bb69b697392460d1531c97f29883205603cb1a4d2bb5a4b6c080fcc86bced800c8238799a29bfb92ff9326f01b252
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLeJAsKuDky:ZzFbxmLPWQMOtEvwDpjLeJAsKcF
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x00080000000122cd-11.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2492 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2192 2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2492 2192 2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe 28 PID 2192 wrote to memory of 2492 2192 2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe 28 PID 2192 wrote to memory of 2492 2192 2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe 28 PID 2192 wrote to memory of 2492 2192 2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_222652fcaefb01b206ee441deda1d067_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD564c5a285dcb32b902173c2c18138b4b8
SHA14d7251e3b126998e2d2af1dd45e98c6f74ccfc8b
SHA25633b70ff18669798e2c4359d9b9434b5987a910a2067586bb9af74cbb3bf6e36c
SHA512dce97b475ece946ffb26fcbb23eefc971b681482e933f5d36b10928dc611d0ff208798fd084a48ce14d9664fc0ef0a196ac03a84ec36cca57e8feef967af3455