f1138a58c918931b18eb9f000eac3183fdeda2d9abb4b7743d661d67809b22ea

Analysis

max time kernel
0s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe
Size

35KB
MD5

db8cb810a1bc84da12b8dbaa3e3efe6e
SHA1

4f5ef7cac86e4e1aded96df9f3ee0a9d093fe891
SHA256

f1138a58c918931b18eb9f000eac3183fdeda2d9abb4b7743d661d67809b22ea
SHA512

dab7c348304fb8e3136d9e8e6071d88a572539412dfb5395a7ce0db75592c181b185a96e30e45aa68ca7d4d0e6897e42152ec97df8913306f96c5366e51cf6cd
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen754x:bxNrC7kYo1Fxf3s05c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	pissa.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3008	2816	2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe	16
PID 2816 wrote to memory of 3008	2816	2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe	16
PID 2816 wrote to memory of 3008	2816	2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe	16
PID 2816 wrote to memory of 3008	2816	2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_db8cb810a1bc84da12b8dbaa3e3efe6e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
4KB

MD5
35f9a36afa1ba684a09cdea321dcdf07

SHA1
c7f0dea535c6a4f27066ac4c9acfa8bea4cdc610

SHA256
e73629653285bf453e21c70a9d5b8658be2f977834c86a8ae0e3431f07e89441

SHA512
5b0c0875c7b52800db8bd8b97dcfbf61c642bf63665336c2de3aea7995e86b805703b99a09a546ef3b45d8b0a2b456ae6170828be0397ba4c1f2a428913f51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
35KB

MD5
6d45ef6ffd4b5e303591545a5e2a22a1

SHA1
e05b98fbc0ec30eaac7502940b2ce76cff6adb6a

SHA256
6b2c9e4996cf2fbc5f354ae25748315edfe0a0fc11546e0ecb77d8a0d5021ab8

SHA512
816b990b46cdb619606a4b3f2c1938542ecc392450a04767336a2c60e66668825e0806041556282ee625194701c01397d2ddd50ca66815ff642f5bb9dc6166de

Download Submit
\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
1KB

MD5
2721d4c65527f70ed74b73c609568a08

SHA1
164222ebaa3025a014bd844ddb7502e9f777408c

SHA256
01708d03e160767745398cf63f11f928809e4b73a90a9d636f79916b058eca68

SHA512
06a817e5540745f8672db03bb5139e6606ec1907983b79db4e7841131fbbdf0b55dc2e02a1604b7eaafaf6fd0f292e8ec43f4664f6222815e2a54df27eff15f6

Download Submit
memory/2816-2-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2816-1-0x0000000000580000-0x0000000000586000-memory.dmp

Filesize
24KB

Download
memory/2816-0-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/3008-22-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/3008-15-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download