7e431eb2f74ff09e893d439381370eed7929f146a54020c1bb4df943645ac7c4

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe
Size

68KB
MD5

c0c9fc01162bf59ddf4795f80627b42d
SHA1

bbfdb85b26a23513a54068fb950357ec20340c0b
SHA256

7e431eb2f74ff09e893d439381370eed7929f146a54020c1bb4df943645ac7c4
SHA512

f32547dcaca0e8dc54ac4ef98ff267670c190a7a4a7dc25b98ed3fbb11c020b5e1ac24e63201575f94398956f40f1135b240f4c21e17ff7cd2d3c07be58290f4
SSDEEP

768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ9TDY9:gUj+AIMOtEvwDpjNbPDG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

1664 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe

pid process

576 2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1664	misid.exe

pid	process
576	2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe

description	pid	process	target process
PID 576 wrote to memory of 1664	576	2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe	misid.exe
PID 576 wrote to memory of 1664	576	2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe	misid.exe
PID 576 wrote to memory of 1664	576	2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe	misid.exe
PID 576 wrote to memory of 1664	576	2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
68KB

MD5
75fbd7d773ae84ca04ad9abcc3e5a82c

SHA1
27d811f7e90dd1b2160e3130698a2185434e01b5

SHA256
6de3cdf7de7f8a3f5e57bf3406d1b27c7725b18d6ca4ceada064d86e5c2f3a0c

SHA512
d3b3a2b1f5938ff0cc9abfaba9666c4e3913d75a785e206a8fe13daa2cd3e5e6704196e22be9df9819b09549d618b7e87fa72b2dd560cd053515cc218891f7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
68KB

MD5
75fbd7d773ae84ca04ad9abcc3e5a82c

SHA1
27d811f7e90dd1b2160e3130698a2185434e01b5

SHA256
6de3cdf7de7f8a3f5e57bf3406d1b27c7725b18d6ca4ceada064d86e5c2f3a0c

SHA512
d3b3a2b1f5938ff0cc9abfaba9666c4e3913d75a785e206a8fe13daa2cd3e5e6704196e22be9df9819b09549d618b7e87fa72b2dd560cd053515cc218891f7a8

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
68KB

MD5
75fbd7d773ae84ca04ad9abcc3e5a82c

SHA1
27d811f7e90dd1b2160e3130698a2185434e01b5

SHA256
6de3cdf7de7f8a3f5e57bf3406d1b27c7725b18d6ca4ceada064d86e5c2f3a0c

SHA512
d3b3a2b1f5938ff0cc9abfaba9666c4e3913d75a785e206a8fe13daa2cd3e5e6704196e22be9df9819b09549d618b7e87fa72b2dd560cd053515cc218891f7a8

Download Submit
memory/576-54-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/576-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-56-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/576-65-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1664-63-0x0000000000000000-mapping.dmp

Download
memory/1664-68-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1664-75-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download