Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe
-
Size
43KB
-
MD5
086c2831349dc7480a591a0bee91209c
-
SHA1
ffe98f9c5fab6587e1fb06e8d3dada3947227be6
-
SHA256
d6f8f2a254dcbb32b272c287958adc698028ed275f496a6da2941ae4260771ba
-
SHA512
1f87e31c3466f50a2436ca3cde99f3dda3ec89badfda2c9901abfb1bba6bf52f03a325ce01e46a730145711dbd87a1650a43d385c2529d436b05dfecbe80ed28
-
SSDEEP
384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jo0nrlwfjDUI/:bm74zYcgT/Ekn0ryfjT
Malware Config
Signatures
-
Detection of CryptoLocker Variants 6 IoCs
resource yara_rule behavioral1/memory/1728-0-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000c000000015cd2-11.dat CryptoLocker_rule2 behavioral1/memory/1728-13-0x0000000001E10000-0x0000000001E1D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1728-16-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1036-18-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1036-27-0x0000000008000000-0x000000000800D000-memory.dmp CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 1036 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 1728 2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1036 1728 2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe 29 PID 1728 wrote to memory of 1036 1728 2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe 29 PID 1728 wrote to memory of 1036 1728 2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe 29 PID 1728 wrote to memory of 1036 1728 2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_086c2831349dc7480a591a0bee91209c_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:1036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD57ae591cca3f99c4924c2c10c0de00e48
SHA1c3ef5c6b3d7e57398177b04aa700bad18e6a78d4
SHA2567237917422bbf869ccffb05e242de8c0186546dd811c10b4c87aea2d719d25f8
SHA5129e7ffb12106ba28c5face8528b458868520835d26dd65a1481dc0ea32cafc21aff2e65d5ea9371338e0a3045c7b7d273007a78b9edb3f8165a8d77d7de7e3556