2d54bb8373f82540a45e8ebebc54bff4bd238a45321110b46cb3e04b193cfa9f

General

Target

2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe
Size

92KB
MD5

40f594ca930dcc6c027fd620a9d7ccae
SHA1

ed068b3a9c88e4cda156794538d756fae240bae5
SHA256

2d54bb8373f82540a45e8ebebc54bff4bd238a45321110b46cb3e04b193cfa9f
SHA512

aff7d45edd262a04c18d23f605d7cec991ca5e2b91c19258dc4eb9ca7fab148a8d73c31676b0c15985bd4ee60c678689bc3d7667ce758a3ed757c6db7d6b211d
SSDEEP

1536:zj+soPSMOtEvwDpj4ktBl01hJl8QAPM8Ho6cRDj9i4RRh:zCsanOtEvwDpj8

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 7 IoCs

resource	yara_rule
behavioral1/memory/2768-21-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b00000001224c-26.dat	CryptoLocker_rule2
behavioral1/memory/2488-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b00000001224c-15.dat	CryptoLocker_rule2
behavioral1/memory/2488-12-0x0000000000580000-0x0000000000590000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b00000001224c-11.dat	CryptoLocker_rule2
behavioral1/memory/2488-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 7 IoCs

resource	yara_rule
behavioral1/memory/2768-21-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b00000001224c-26.dat	CryptoLocker_set1
behavioral1/memory/2488-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b00000001224c-15.dat	CryptoLocker_set1
behavioral1/memory/2488-12-0x0000000000580000-0x0000000000590000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b00000001224c-11.dat	CryptoLocker_set1
behavioral1/memory/2488-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 7 IoCs

resource	yara_rule
behavioral1/memory/2768-21-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000b00000001224c-26.dat	UPX
behavioral1/memory/2488-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000b00000001224c-15.dat	UPX
behavioral1/memory/2488-12-0x0000000000580000-0x0000000000590000-memory.dmp	UPX
behavioral1/files/0x000b00000001224c-11.dat	UPX
behavioral1/memory/2488-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2768	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2768-21-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000b00000001224c-26.dat	upx
behavioral1/memory/2488-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000b00000001224c-15.dat	upx
behavioral1/memory/2488-12-0x0000000000580000-0x0000000000590000-memory.dmp	upx
behavioral1/files/0x000b00000001224c-11.dat	upx
behavioral1/memory/2488-1-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2768	2488	2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe	16
PID 2488 wrote to memory of 2768	2488	2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe	16
PID 2488 wrote to memory of 2768	2488	2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe	16
PID 2488 wrote to memory of 2768	2488	2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_40f594ca930dcc6c027fd620a9d7ccae_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
51KB

MD5
b00d87a5adb53878c8f15b8bbf53904b

SHA1
f523c2ca571a68c66f0c96e4b43b7e35b4c1ca43

SHA256
5d1de3946b6a68355411200a6bcb5aa360d949ddf00408cde10e7313e7482e4b

SHA512
85530288acfcd966136ec675fd23cc22c2065a421e565d6c498b78e32a24f4ee3a6640063d0e046b4d148d5fbc82aec937ce90fc81bf7468ebc11690328420b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
56KB

MD5
afe8d68e9f96d10060d2fb47d15bb337

SHA1
f6dd44016ff9d4a6b7d2c9c9767690322985375c

SHA256
812283043359ec5cad84292e28e6928dfac84d256a0ba54d6691c9d9f680d20a

SHA512
35abc6de71b02f6f91112d6656afa8d0670bbbf08f212dd94e9b9a7b2dc699c2f67e138da94dd93d18dd036519974c8c26ae5cebff696a1a48cf08e3e71d8bc7

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
19KB

MD5
bda14f2d4750efb97539205538f911d2

SHA1
5cafe9ce957542a18f82361b0bc320f36089e822

SHA256
6ab3f3eb383b50174542680890215877f44631b5b97e22c6f7c9b6d5e7737630

SHA512
5d5e1c6864cb86e8ae0585c81ed280512782298d23f8a7667dc77ffcd7a4b1a7b92d4e52b3b8afb1f71f79eab5d717b20e948dde20aa2f9ab83a8f50f71d048a

Download Submit
memory/2488-2-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2488-3-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2488-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2488-12-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2488-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2488-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2768-19-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2768-21-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2768-18-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing