Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe
-
Size
44KB
-
MD5
5b05b179fbc39ae636e3186687ebc46d
-
SHA1
77d2d14472fac330abefb13d28a424cd8527fa6e
-
SHA256
da2292a4414b522ea769a560959d23130b04ffc22e50f8a4f2ad2d766260654f
-
SHA512
780e269f8f945c2a38c1265520be072b90b6100d7415d0282f2c512448e6fd537fbf2c5af5efc0fc6088c8ef91ce073fc42a71de8bcabcda9ee885a9d73cd010
-
SSDEEP
384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jb0nrlwfjDUadQC8i:bm74zYcgT/EkM0ryfjPdQZi
Malware Config
Signatures
-
Detection of CryptoLocker Variants 5 IoCs
resource yara_rule behavioral1/memory/2228-0-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000b000000014712-11.dat CryptoLocker_rule2 behavioral1/memory/2840-16-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2228-15-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2840-25-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2840 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 2228 2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2840 2228 2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe 28 PID 2228 wrote to memory of 2840 2228 2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe 28 PID 2228 wrote to memory of 2840 2228 2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe 28 PID 2228 wrote to memory of 2840 2228 2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_5b05b179fbc39ae636e3186687ebc46d_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5e786e06e46b552c28aef133d754dab01
SHA1cd6892debbc8c19ca82687b08dcc977741c83cd7
SHA25668b66e8a4b89b8c9c2f3d1e0bc24134e1776280f61a50a3ec759bf01968cc75e
SHA5127e0c0f0c53c46d202baa7c9608f837cd687a2f3b2e9ee9bf23de15bf6a84e54b40e3d7c5e5e7d4c95f775ae71c8a4874ecde9e820d63f9bcc7a6630020636095