Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 02:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe
-
Size
43KB
-
MD5
619377dc86c408f981a42bb9a6339a5a
-
SHA1
b4f19ab14306d9f2e8b060b0b18d292a239ab671
-
SHA256
b74f595d973eafd4659bd92beda8af607fc3bdaf52422580e090ae8edeb898cd
-
SHA512
ec26fac51e339e2cf0967df013daae378d889a54a75813aa33ab831fa58487a611acfbab02144b12aeff5f02c02454b49a40779878ad1629f86e43bd8c681542
-
SSDEEP
768:XS5nQJ24LR1bytOOtEvwDpj66BLbjG9Rva/yYshNhH:i5nkFGMOtEvwDpjR+viHshNx
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/1560-8-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x001000000001226b-11.dat CryptoLocker_rule2 behavioral1/memory/2544-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 2 IoCs
resource yara_rule behavioral1/memory/1560-8-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 4 IoCs
resource yara_rule behavioral1/memory/1560-8-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x001000000001226b-11.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2544-16-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 2544 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 1560 2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2544 1560 2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe 28 PID 1560 wrote to memory of 2544 1560 2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe 28 PID 1560 wrote to memory of 2544 1560 2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe 28 PID 1560 wrote to memory of 2544 1560 2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_619377dc86c408f981a42bb9a6339a5a_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD56cd3b13ca59290d701cbd407d36c6f54
SHA1422c42737d8642f4c4d54ea85bd31d084bf32598
SHA256b0b501dbcdd2670a0fd9df1b459a8094d682af83add803061bf86cfc0f0654b2
SHA5122b8de4e18afcc9d2e3105d7a69efb983d0d0d969a232ff1c8ab510ee788e6d51bb1dcb1ca91b32b4af650ea53a6bba6e874336134dcd76c64913b26878473e42