b234cc49179ae58ac128466ba7a73e6f16651433b442d892735c1ab2b5205ecc

General

Target

2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe
Size

64KB
MD5

8fdae30ff31af0d5990853ad8dbe469f
SHA1

5e561c78a274134f642a1680fa564365b7746f8a
SHA256

b234cc49179ae58ac128466ba7a73e6f16651433b442d892735c1ab2b5205ecc
SHA512

f929fb30b01c1c10b5774b08786be0604dcb729bacbddc49709ccb5bc63920b772e7545b181fd4f8dcfa62d498f1fd72b90daaed5b76cd7d267a109fe1e80c54
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEpE0P/xJ:6j+1NMOtEvwDpjr8ox8UDEpN/f

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 7 IoCs

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012247-11.dat	CryptoLocker_rule2
behavioral1/memory/2880-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2720-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2880-13-0x0000000002480000-0x000000000248F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2880-27-0x0000000002480000-0x000000000248F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2720-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000a000000012247-11.dat	CryptoLocker_set1
behavioral1/memory/2880-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2720-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2880-13-0x0000000002480000-0x000000000248F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2720-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 7 IoCs

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a000000012247-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2880-15-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2720-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2880-13-0x0000000002480000-0x000000000248F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2880-27-0x0000000002480000-0x000000000248F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2720-28-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2720	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2720	2880	2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe	28
PID 2880 wrote to memory of 2720	2880	2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe	28
PID 2880 wrote to memory of 2720	2880	2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe	28
PID 2880 wrote to memory of 2720	2880	2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_8fdae30ff31af0d5990853ad8dbe469f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
64KB

MD5
9c5a20a38db5a99be37959a2f666f7ee

SHA1
e8f97a77bdaa558dbb5e589b6d2eef1534cbc2f8

SHA256
c027b6dacaa7c9cc957d220b2602dc3dbeef68017d5bb2b5dd5d657c9789e947

SHA512
b200e2d9c0bd1bda313096ff093b36d42597714644e8656d41cf71bea6f6ac09690bcb89b73e438fa01931ab29c416723483a9b179abc20319509372c129b277

Download Submit
memory/2720-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2720-20-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2720-19-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2720-28-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2880-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2880-1-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2880-2-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2880-5-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2880-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2880-13-0x0000000002480000-0x000000000248F000-memory.dmp

Filesize
60KB

Download
memory/2880-27-0x0000000002480000-0x000000000248F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing