Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 14:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe
-
Size
37KB
-
MD5
41df8fa3d1586ac37283237baae2fc16
-
SHA1
d96aec0631c97d79b25be70b448975c13b1c9f71
-
SHA256
de289789c6d96fded6ba12efa8513615e12fefa371cd38a07f6cbae370d08edd
-
SHA512
2a1fcd8abb0543e559a57ffe8453a8ca21831c5d4fe0653169b9603136a8b430f20f96fcaf062dfa59f5f3eb40eeca96cc78a2e62055d67ecd623ddeb7aa9cfd
-
SSDEEP
768:TS5nQJ24LR7tOOtEvwDpjGqPhqlcnvhx5f:m5nkFNMOtEvwDpjG8hh3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1704 misid.exe -
Loads dropped DLL 1 IoCs
pid Process 2568 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language misid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1704 2568 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe 30 PID 2568 wrote to memory of 1704 2568 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe 30 PID 2568 wrote to memory of 1704 2568 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe 30 PID 2568 wrote to memory of 1704 2568 2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-25_41df8fa3d1586ac37283237baae2fc16_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD505c78e2969263241948710119bad6ec5
SHA1a7c064a387d8f81f490ebe4bcefa0b2b6d553b1a
SHA2566b8445e67e382d094a75bbc196825686554558d2ef2d488f526924684cd25a85
SHA512f2492105035264fa694ab549766ff84d60b37a079a58218451da80daaebdd57545f55d618a5a181c550d4798b55eddbba188c88de50562d96a47bb0844ecf552