Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe
-
Size
78KB
-
MD5
3e7bfb1672f927c0d5c8b19678daa9c1
-
SHA1
3ae0a5704a5fe715d4a2095e6f71c6493ad67efa
-
SHA256
19e6abcaf6af252fa87f1cc602839ee01870af0b77ccad8aafe68d67e19fd825
-
SHA512
d92c665141400404d04e3586059e087251844da0f98acfb6ed1f3d4cd9850e0d3e693e344a0acccff19a886a4217cb23c659ba8524dfed0e8327f8949b37c675
-
SSDEEP
1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KUa:ZVxkGOtEvwDpjcam
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012286-11.dat CryptoLocker_rule2 -
Executes dropped EXE 1 IoCs
pid Process 2880 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2140 2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2880 2140 2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe 29 PID 2140 wrote to memory of 2880 2140 2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe 29 PID 2140 wrote to memory of 2880 2140 2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe 29 PID 2140 wrote to memory of 2880 2140 2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_3e7bfb1672f927c0d5c8b19678daa9c1_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5131413826a114edaa30e91a1deb8191c
SHA1aeb674dced35fd0da9d7ca6cdc86663fff5a8b53
SHA2566a4104aefeeda5fbaea1965a106824e8162228d5ff4b1f216cbabdf5492f09aa
SHA51255b3fdb4e7658b42b0e866893ebd281719d0f54c7cb9eccb55d48bae7aac4c62b21cb7791b966a812f464ec197d8d1ec7932ba1ebeb3b7eb8759271f22d103cb