Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe
-
Size
44KB
-
MD5
44fcb97ce91adf2e3f09f98cd7359809
-
SHA1
31802e31f924e1c7bdaf837ee5a5d5a16bce8fa1
-
SHA256
1b87255c20de76c6dff140e87a2cfee8326c1eeaa4d6fc82d0c080696adeef13
-
SHA512
230750e080f9a28e2324709e4509de04424b798c9e125a16e0af6fc79b94b968f19f57c90f4c174aa0a2410d7f3649a3189d4582cfd3b944e763edafbf6ecc03
-
SSDEEP
768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqh6/agqEj:6j+1NMOtEvwDpjrRtqm
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral1/memory/2100-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/files/0x000500000000b309-13.dat CryptoLocker_rule2 behavioral1/memory/2100-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral1/memory/1584-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral1/memory/2100-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/files/0x000500000000b309-13.dat CryptoLocker_set1 behavioral1/memory/2100-15-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral1/memory/1584-25-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
Detects executables built or packed with MPress PE compressor 4 IoCs
resource yara_rule behavioral1/memory/2100-0-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000000b309-13.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2100-15-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1584-25-0x0000000000500000-0x000000000050F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 1 IoCs
pid Process 1584 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2100 2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1584 2100 2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe 28 PID 2100 wrote to memory of 1584 2100 2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe 28 PID 2100 wrote to memory of 1584 2100 2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe 28 PID 2100 wrote to memory of 1584 2100 2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_44fcb97ce91adf2e3f09f98cd7359809_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
PID:1584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5ee28ba77f0e104c90803a193fef615dc
SHA1a7296836800de7177e6ccd067fa2e8fa84898bda
SHA2568c1cb302ea5cc32e1a617c7751dc83c7f1d84fc9de6d8ae47154671a6025a598
SHA5122410bd6f63b6e6a0b5f303f6ac733b6ee64b84b80b4471c414343480f8a3a0f2e0490f942b3fd5f3a51e2593da599e15804a22c682cc7447537ff7cd8cc5ffb4