Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe
-
Size
72KB
-
MD5
2a9cf979b0cd59b0d0f026dcf460b5de
-
SHA1
ad26d2973f3eb3f0fa8f889f5c29f2fcb2ba3538
-
SHA256
cf583ea2aa22a60b97d29a610c72c360befce562abcd00a49de836308e2f2772
-
SHA512
cba4d61f23d01b3d2182acfb735592bbea8ad728883cae07404634ce619b0230d52cb097a21d985c34486b36cb77ddad846bf6015ff9f8d193e2d174beed7eea
-
SSDEEP
768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4ZPsED3VK2+ZtyOjgO4r9vFAg2rq2g1B/R3:vj+jsMQMOtEvwDpj5HZYTjipvF24px
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2276 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 3012 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2276 3012 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe 30 PID 3012 wrote to memory of 2276 3012 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe 30 PID 3012 wrote to memory of 2276 3012 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe 30 PID 3012 wrote to memory of 2276 3012 2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-09_2a9cf979b0cd59b0d0f026dcf460b5de_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f0b75c261ee537d13a61d5f2d9881f73
SHA19fda41441ddc42affb69c8ea92809c5040404fef
SHA256014f4f09cf889cce96bd86650634b9105c1a283fa43adf192cbe533e6a1dea61
SHA512fa6f8a08cb71151c07ab51e6bbcd73531c03c7ff84e3e336044454fb4b55e57eeba54a4e7d5deb37cf5b4f0ec28def0dd8f7ea68e4a56221483e47b8d51ffdb0