Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe
-
Size
58KB
-
MD5
f2f8dcaac8ec7553850d60dcbc7d1009
-
SHA1
e4b26209830ff3a682a56bbbb03dc4550ba8ede4
-
SHA256
a8ac012c5b6fa12204d603c4eeb58a719df7246d6931773cbd05629aa05d5c99
-
SHA512
17462a702331f3cf96964cbea23b137fbcf5a27b33f17fe8e88e31ada49735ea13b59199992d4e979e03d216bba52d66ef06d8a17f5c5f9878e16dfee9cba272
-
SSDEEP
768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5QJz7/e64T:6j+1NMOtEvwDpjr8oxExe64T
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/1252-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000d000000014267-11.dat CryptoLocker_rule2 behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1724-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/1252-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000d000000014267-11.dat CryptoLocker_set1 behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/1724-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 4 IoCs
resource yara_rule behavioral1/memory/1252-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000d000000014267-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1252-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1724-25-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 1724 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1252 2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1252 wrote to memory of 1724 1252 2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe 28 PID 1252 wrote to memory of 1724 1252 2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe 28 PID 1252 wrote to memory of 1724 1252 2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe 28 PID 1252 wrote to memory of 1724 1252 2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-09_f2f8dcaac8ec7553850d60dcbc7d1009_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD52fa7e404e4453dab7781f41c0f341514
SHA1bec59907fb165ce914d2cd1d38f451ec14fbae28
SHA2569f877afbffef8a39d20c8172f85ba1816f3d520808d0bf23758075dd0150d624
SHA512267c36c3b8b7d4cfb4b7e9bdd8158da49198464ae1c8b09ef6f2bdc5572171e352cb3123980043cc34153e76c6b9e98fc751ebfa9b3a2e2691eaa7f22cd9c215