Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe
-
Size
31KB
-
MD5
b2256b98bc639072ce252174a97a22fb
-
SHA1
233b306a328a88245027e205aab4058ae498a804
-
SHA256
441fc9fb61bf7bc015e81ee61e39615cde29852fceda4efa4ec9bb0635510a66
-
SHA512
3de62b3c5e2d1f8500e9c3e052e11e8c3ae32486aa17f7b5340830685ee28e813b99afd845c007ac93c77ebca8275a8ae7425206902f39aa24d2057376a991ff
-
SSDEEP
768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+94fI/:vj+jsMQMOtEvwDpj5YF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2468 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2348 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2468 2348 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe 30 PID 2348 wrote to memory of 2468 2348 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe 30 PID 2348 wrote to memory of 2468 2348 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe 30 PID 2348 wrote to memory of 2468 2348 2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_b2256b98bc639072ce252174a97a22fb_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5aa02c2df2d338d4e0beace499e9db8ab
SHA1484df54d9984b80a37ddff2c0595bac21a69b8d3
SHA256a12324df3abc39fc9c92b34744e6e3c433af3a1d820d99d78193a712a82dbd7d
SHA51252d94cf33e2f275041864689110f952d38a90812e55a6091fbf7f7cc8defbe2cabcf317fb8cd6dbafbd1428e949368a247528b80268372fe1ce34abf5b860ba9