f1c36919c8f20bc80d3538fd30808d8fa80768577e4d41575728d31a7480bb69

Analysis

max time kernel
151s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe
Size

44KB
MD5

97302eada3f130412e4a00c771f6dc44
SHA1

6003d9f4dcbf3d82e3d3fe813d0e1952bce414f9
SHA256

f1c36919c8f20bc80d3538fd30808d8fa80768577e4d41575728d31a7480bb69
SHA512

602ce7bd4d93e2f0e0d382021be5860138ce1d5a9f4a7b7dc3b05e1257a2e724714a1b6eb185120170cb04d6627461d0e3218e5d7b14a37aa9ccb10c7b0c0529
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8lB4dCOBy/cMcls6z:ZzFbxmLPWQMOtEvwDpj38lD/cMUs0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

1920 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe

pid process

1812 2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1920	misid.exe

pid	process
1812	2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe

description	pid	process	target process
PID 1812 wrote to memory of 1920	1812	2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe	misid.exe
PID 1812 wrote to memory of 1920	1812	2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe	misid.exe
PID 1812 wrote to memory of 1920	1812	2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe	misid.exe
PID 1812 wrote to memory of 1920	1812	2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_97302eada3f130412e4a00c771f6dc44_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
44KB

MD5
3598a3139d6a2cb0005946f7aee11f67

SHA1
f3887e1444f06539427183fb74444cb270dee965

SHA256
033324006d82408497e2287b159aca48c542be626abc9fb4f59a6cb284e775a5

SHA512
b02b22f45a5799e8933fcb4549c5ebe00e7fbd4875ba4307fd69f70387873b63a41dcdd84d401d6e19bd78d75db36f7c63c1d4d9f8f42cc2130aad748645b3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
44KB

MD5
3598a3139d6a2cb0005946f7aee11f67

SHA1
f3887e1444f06539427183fb74444cb270dee965

SHA256
033324006d82408497e2287b159aca48c542be626abc9fb4f59a6cb284e775a5

SHA512
b02b22f45a5799e8933fcb4549c5ebe00e7fbd4875ba4307fd69f70387873b63a41dcdd84d401d6e19bd78d75db36f7c63c1d4d9f8f42cc2130aad748645b3f1

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
44KB

MD5
3598a3139d6a2cb0005946f7aee11f67

SHA1
f3887e1444f06539427183fb74444cb270dee965

SHA256
033324006d82408497e2287b159aca48c542be626abc9fb4f59a6cb284e775a5

SHA512
b02b22f45a5799e8933fcb4549c5ebe00e7fbd4875ba4307fd69f70387873b63a41dcdd84d401d6e19bd78d75db36f7c63c1d4d9f8f42cc2130aad748645b3f1

Download Submit
memory/1812-54-0x0000000000501000-0x0000000000504000-memory.dmp

Filesize
12KB

Download
memory/1812-55-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1812-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1812-57-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1812-66-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1920-64-0x0000000000000000-mapping.dmp

Download
memory/1920-77-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download