Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe
-
Size
54KB
-
MD5
54ad142bc62175e9b26e879f0be7f33f
-
SHA1
8cbca27b0780d8e77b705f36a9963f5998809e16
-
SHA256
acf98fe6a7e91bdecbb3e7cab22b6be9aa9ff55779e156e6bde7faece1d1bd75
-
SHA512
c4fb48e7de69e9e07a62260ce923abc52ee8d4f20417568e2436e06ac2ccad3fda74b97283a74551ce07ec807f79ece20f210b151a5e72955557c2a43e9e5f83
-
SSDEEP
768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qn8pKIRszDr6KAH:79mqyNhQMOtEvwDpjBxe8TpXRSDeKQ
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/1920-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000f000000012289-11.dat CryptoLocker_rule2 behavioral1/memory/1920-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1964-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/1920-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000f000000012289-11.dat CryptoLocker_set1 behavioral1/memory/1920-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/1964-16-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Executes dropped EXE 1 IoCs
pid Process 1964 asih.exe -
Loads dropped DLL 1 IoCs
pid Process 1920 2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1964 1920 2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe 28 PID 1920 wrote to memory of 1964 1920 2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe 28 PID 1920 wrote to memory of 1964 1920 2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe 28 PID 1920 wrote to memory of 1964 1920 2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_54ad142bc62175e9b26e879f0be7f33f_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD52ee678ddbc9237b317e92c6c23e036d4
SHA11dcb6629ab243809dcb59173a3ac2c9c2f846835
SHA2565b055d085917dce1ed8eebcc347d42f6656111224b0ff294d397593406c8da7a
SHA5123b4d770be0526d311a87cc0d1dedbe153e0c4f6d93a13cfccc0fe0ca55779c25d6255d2fd014391572bbfe0b41b8243eef4618031d628d9c8314aaf554c7fc44