Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 07:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe
-
Size
39KB
-
MD5
c5b05103f199c47dfd8fa58ff609d129
-
SHA1
1480994d1e47308a803313a43215b3fb4df81253
-
SHA256
ba7c74af0dad09ae4ba8e7a35f537ec3d7e6ace2d4a36127c722c10911e6d862
-
SHA512
e099a3bca148812b98d262e3462fbeb84442105d1cf2eb1fc8ec4b9ad0231c9275f99ab86ee5ca8e62d4796652c2ad50726df6b3fe4f8d69e20b05cbf7476797
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLenUDq6:ZzFbxmLPWQMOtEvwDpjLe16
Malware Config
Signatures
-
Detection of CryptoLocker Variants 2 IoCs
resource yara_rule behavioral1/files/0x0007000000012120-11.dat CryptoLocker_rule2 behavioral1/memory/1984-16-0x0000000000230000-0x00000000002B0000-memory.dmp CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 1984 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1008 2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1008 wrote to memory of 1984 1008 2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe 28 PID 1008 wrote to memory of 1984 1008 2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe 28 PID 1008 wrote to memory of 1984 1008 2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe 28 PID 1008 wrote to memory of 1984 1008 2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_c5b05103f199c47dfd8fa58ff609d129_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5961aed16554f5802ae9959e3fc2db61f
SHA15574b9f315d567a030ce6874a4f6b85ec5b95d50
SHA256689552e1523914932f20d780a702a0401efd97420432420f6ba3f6d819dbcfd5
SHA512f84adbe8d795b269c80afe2ff5a803eed0a5209e24b0da3e8640b5f93a66e7acc7d8bcbdd24d5934c1806696584309da5debdf1f0725f49735adfca28f089afc