277b81f86d1726de3fc0bf29d147cf3db6c226c48b47021c95d4d585db428d94

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe
Size

38KB
MD5

ebdfa9e4b75464775968ecacec720947
SHA1

69b010f71d5af04df234610e8f03f44365e9abf0
SHA256

277b81f86d1726de3fc0bf29d147cf3db6c226c48b47021c95d4d585db428d94
SHA512

2dee8c9363d06e8797583d77f4f3c4dfdf5fa67945c2f0400202fb7eb6067f2d4f1007bd03f64bc795c86de147e251f4908b4115e614490cd36d0d48b42e48ba
SSDEEP

384:60VkMq01bJ3wtEwPS8HLEh+Jagz+3be+26aIIcVRYpetOOtEvwDpjqIGRmdHzOO1:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqh6/3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3028	2860	2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe	16
PID 2860 wrote to memory of 3028	2860	2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe	16
PID 2860 wrote to memory of 3028	2860	2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe	16
PID 2860 wrote to memory of 3028	2860	2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_ebdfa9e4b75464775968ecacec720947_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
1KB

MD5
f36b41fe438e721be3491ddc7e3a3697

SHA1
3996f1c8c612dc0959bbcbab5d4346616d993958

SHA256
698cfbdb818ece01e0ebce182008e24bdf14271427477e4f88deed166cb63a94

SHA512
9300d32e21831aa7a7b7b81a32a0de30476839d7b2686671280995126eacfa7649b859041a42fdb6718e31a45ebf314f481b50042753a361ad38b54b165738c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
38KB

MD5
33f7be9721a00f35534eeb77cbe176bd

SHA1
112bfef383fd6b597baf872a6f9d645bda7b6488

SHA256
f8df4be22626888a43b4cae56c5819392cfea56eb529c7c6afd022aeb8c7b367

SHA512
2248ffcac9ff0fe8a43ae25f7a511e30c0c920e8687ba7e7cb144403d74f45dfaa4063f09ad31e1b0579afb84704d17d1df369350c176321280f153986098a1e

Download Submit
memory/2860-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2860-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2860-2-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2860-1-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2860-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/3028-17-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3028-21-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/3028-23-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download