Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe
-
Size
40KB
-
MD5
e7f8e1ccc572f1f6153f06f009ed9f51
-
SHA1
c7560b84a613c6f71b507ad8f665cf732746b42d
-
SHA256
11c8174892ab1ac0c9b3ff2567f9000c76d41464ab13a33877b94ea60e80d3b1
-
SHA512
487875cab117f7ee0519e699bf421e1a2648edb28b3422208472c4d887a10020886b908e78279e04b63c98c7fb1eb5e19bf8548136ecfe00084861092963c076
-
SSDEEP
768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLeJAsKuD+r:ZzFbxmLPWQMOtEvwDpjLeJAsKca
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2764 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2200 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2764 2200 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe 30 PID 2200 wrote to memory of 2764 2200 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe 30 PID 2200 wrote to memory of 2764 2200 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe 30 PID 2200 wrote to memory of 2764 2200 2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-05_e7f8e1ccc572f1f6153f06f009ed9f51_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD57242c19af2d59cf12a95896d6984b68d
SHA1c81a663d337e2bd33791f3e82d5074ec36e87b64
SHA256e136a58b259c1eb47eb3efa7e7f908d41e81b89badcca658fa6383199e34b1e5
SHA5128710c9e9cba9490eb208fdcccd78b3c06aa056c638590a10efb18c6bf8309dc8fa42ec13e58922b62f21983cd71f76ad90e257262468714d13e46725b4feb220