Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 20:44
Behavioral task
behavioral1
Sample
2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe
-
Size
60KB
-
MD5
29aeba87c231fdba05ae8d496b0c39d7
-
SHA1
f3db2782488f09b6615e37fad01f22b66367ad19
-
SHA256
8049504867fa59a61eae620d67ff962c8f7057f1cc851b5f7c56b9292eabe9b6
-
SHA512
e81de251d4c0601de2ec7d4b470e1c406572f56c171da8aedf67b91b907d6b94520cd199618f6a72d9671e249f7ef841c3f2329f75bb79bdc44d817eae926992
-
SSDEEP
768:H6LsoEEeegiZPvEhHSG+gk5NQXtckstOOtEvwDpjhBaD3TUogs/VXpAP6pd34:H6QFElP6n+gou9cvMOtEvwDpjCpVXz34
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000a00000001431c-11.dat CryptoLocker_rule2 behavioral1/memory/2316-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1964-25-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000a00000001431c-11.dat CryptoLocker_set1 behavioral1/memory/2316-15-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 behavioral1/memory/1964-25-0x0000000000500000-0x0000000000510000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral1/memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/files/0x000a00000001431c-11.dat UPX behavioral1/memory/2316-15-0x0000000000500000-0x0000000000510000-memory.dmp UPX behavioral1/memory/1964-25-0x0000000000500000-0x0000000000510000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 1964 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe -
resource yara_rule behavioral1/memory/2316-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x000a00000001431c-11.dat upx behavioral1/memory/2316-15-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/1964-25-0x0000000000500000-0x0000000000510000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1964 2316 2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe 28 PID 2316 wrote to memory of 1964 2316 2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe 28 PID 2316 wrote to memory of 1964 2316 2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe 28 PID 2316 wrote to memory of 1964 2316 2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_29aeba87c231fdba05ae8d496b0c39d7_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fe490e85e54908a5a21b4420df9b2a57
SHA197f0908161ce9a4c1478cbfc25bf70bed3df7b98
SHA2569b069c22e9e9e13de88d2a0f2e62b2ecd61ba41a8f8f7d053cb406252c046fe6
SHA512ff36dd6d3778f2e2de14195fb1f96911cfbc9b74dc44b7a99174680c032fb04095eace5f0349450c3409734efa19b13e55f040b24fb3a91e80ff027240bdb39d