Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe
Resource
win10v2004-20240709-en
General
-
Target
2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe
-
Size
49KB
-
MD5
052768b99c0ebf7ed32789ba8e37acb8
-
SHA1
d8c43f24a08310557c32257267a293e7ba41bcae
-
SHA256
3200d746d5cee5aaf834baec4fcceb2928d154c0dfdb981d5941638853389c9f
-
SHA512
b4c03365875ef03f765d4fdf5e256a847618742c51594cd465a8162a948ebd700abe493ec8bd3167cb36f5102b61855c148cd0915a54c5d1775bde329a9acc64
-
SSDEEP
384:icX+ni9VCr5nQI021q4VQBqURYp055TOtOOtEvwDpjqIGR/hHi7/OlI0G/74zpzP:XS5nQJ24LR1bytOOtEvwDpjNbP/0Geht
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2124 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2304 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2124 2304 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe 30 PID 2304 wrote to memory of 2124 2304 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe 30 PID 2304 wrote to memory of 2124 2304 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe 30 PID 2304 wrote to memory of 2124 2304 2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-27_052768b99c0ebf7ed32789ba8e37acb8_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5a3a25f0321fd61bbe6dde1f80709a0a2
SHA18b58240c90ac5e7cd95db35f2fe8f3ae8744333a
SHA25630d43370018809790f78ff1fb1a8cee301a346ae0394552844c45eb5aed2a340
SHA512a15ececfd137941fcb65ce7c2655f3a130d7330801a7f9f9e59a0940cbaa2e3509e05442de9803f1f22eea87a35fc018321df1a957ecf86d735e3aba9ba54344