c69b5379d3b9aa80fe171060f03d36bbc7feeb03358e1a3cd4474061fb3c3d86

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe
Size

104KB
MD5

7b618fe40e5a5a4970d47d96e97e06c1
SHA1

ab2fd5a4868c6fab70a90eb91ae50317de2a57fb
SHA256

c69b5379d3b9aa80fe171060f03d36bbc7feeb03358e1a3cd4474061fb3c3d86
SHA512

11c2b1687c3515428cd04b130277f3dbbe8489d7c29fdf378131d2454747b9d4547005169977ab366c9d62f6ce66b664794f99cef9997d8e7c9584656c357f9e
SSDEEP

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWfbZ7uyA36S7MpxRiWjy9g:xj+VGMOtEvwDpjubwQEIikug

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000900000001222a-11.dat	CryptoLocker_rule2
behavioral1/memory/2132-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2364-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2364-28-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000900000001222a-11.dat	CryptoLocker_set1
behavioral1/memory/2132-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2364-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2364-28-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000900000001222a-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2132-15-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2364-17-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2364-28-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2364	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2364	2132	2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe	28
PID 2132 wrote to memory of 2364	2132	2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe	28
PID 2132 wrote to memory of 2364	2132	2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe	28
PID 2132 wrote to memory of 2364	2132	2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_7b618fe40e5a5a4970d47d96e97e06c1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
104KB

MD5
3a4fa04b74ab8966fe859071fa3b78dc

SHA1
bb8300f9eed6d9143166cedf8b9818f6b5cab89c

SHA256
7cd8b67abfe2543f32ba78bd691e6edc54cbf4b40a5d1f5782b5f8e7e5715bc6

SHA512
3b24a0d98839f577422cf07b79cc2b28ee142d7e2b51ad466b0bf76b31469b3c48a45f6a18d529d7fde630d43313a8a0cc31c87d096fd50df6b1191c3aaaae3a

Download Submit
memory/2132-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2132-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2132-2-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2132-3-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2132-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2132-16-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2132-27-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2364-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2364-19-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2364-21-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2364-28-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download