Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 04:49
Behavioral task
behavioral1
Sample
2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe
-
Size
53KB
-
MD5
f5ef3878a215808de9842f5df3174c06
-
SHA1
ee464c3a2310ecfdf15fdcae6dc749026e7abc42
-
SHA256
1f806b21c34c0510c5b9041e36e6f7b14800b8f59eb1d3683f24eef41b176146
-
SHA512
758a4b3b7932cef7c6cc39a67377621b8b604c4b9136811a619771ac4f19ae8024c0aef29578fd47f83a3937c34ea5a84c2cfb373a5c8abf6012680ba5fadba1
-
SSDEEP
768:bODOw9UiamWUB2preAr+OfjH/0S16avdrQFiLjJvtOX1:bODOw9acifAoc+v6
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/1688-0-0x0000000008000000-0x000000000800F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x0009000000014539-11.dat CryptoLocker_rule2 behavioral1/memory/1688-15-0x0000000008000000-0x000000000800F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1756-25-0x0000000008000000-0x000000000800F000-memory.dmp CryptoLocker_rule2 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/1688-0-0x0000000008000000-0x000000000800F000-memory.dmp UPX behavioral1/files/0x0009000000014539-11.dat UPX behavioral1/memory/1688-15-0x0000000008000000-0x000000000800F000-memory.dmp UPX behavioral1/memory/1756-25-0x0000000008000000-0x000000000800F000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 1756 lossy.exe -
Loads dropped DLL 1 IoCs
pid Process 1688 2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe -
resource yara_rule behavioral1/memory/1688-0-0x0000000008000000-0x000000000800F000-memory.dmp upx behavioral1/files/0x0009000000014539-11.dat upx behavioral1/memory/1688-15-0x0000000008000000-0x000000000800F000-memory.dmp upx behavioral1/memory/1756-25-0x0000000008000000-0x000000000800F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1756 1688 2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe 28 PID 1688 wrote to memory of 1756 1688 2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe 28 PID 1688 wrote to memory of 1756 1688 2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe 28 PID 1688 wrote to memory of 1756 1688 2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_f5ef3878a215808de9842f5df3174c06_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
PID:1756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5095fbbc4d1384c2791faeea0b0cfb189
SHA1cee651161a81fd64a909e5219d954eaef6a408ee
SHA2565a0902a28c4e2450e527f896d9598c5c868d9acc8b0f28ce3d6f257fb6878b7c
SHA5120814f57573e5f8a96d7c6e273e05268f2e199244b04a15b8c58bc594ccfae8722ebc68999bf15b383612c3deab550ef296a05d9ffa77149d129f33bcb0cba212