c6f0187088cf115eada4db03b30136f65b118533d3d1363aed71afa08b781754

General

Target

2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe
Size

127KB
MD5

f1d51c6de1e37799a6fd7764174a2f55
SHA1

8d4318ee703cb6b928869349d0ba5fa0ca864ff4
SHA256

c6f0187088cf115eada4db03b30136f65b118533d3d1363aed71afa08b781754
SHA512

9ce54e4b0840c3d49c6fce81aaafd6504ce42278e58ed000350a96834d77dbb678dc68dd11e1fb2249985ddaf2a1298e71c9b4d8b63537a403b5133b7c04e879
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfIuBKLUYOVbvh//o:vCjsIOtEvwDpj5H9YvQd2Ri

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a71-21.dat	CryptoLocker_rule2
behavioral1/files/0x000a000000013a71-13.dat	CryptoLocker_rule2
behavioral1/files/0x000a000000013a71-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a71-21.dat	CryptoLocker_set1
behavioral1/files/0x000a000000013a71-13.dat	CryptoLocker_set1
behavioral1/files/0x000a000000013a71-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3056	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1896	2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 3056	1896	2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe	16
PID 1896 wrote to memory of 3056	1896	2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe	16
PID 1896 wrote to memory of 3056	1896	2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe	16
PID 1896 wrote to memory of 3056	1896	2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3056

C:\Users\Admin\AppData\Local\Temp\2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_f1d51c6de1e37799a6fd7764174a2f55_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar107A.tmp

Filesize
44KB

MD5
3fd8ec8f21a426bf799d8a5045388b0a

SHA1
81e4ec44dd2125e6a6544984367acbdfb1f24cbb

SHA256
b7199b0ab2d7fdc6be017a6fff2b89481adcf958bda88fd02088e53f2aeb99de

SHA512
4594880528eda8c8a8695bc640b8af3de95dc8e6ccf9f82f5e40af4c580c0fb9652ad7d2ac4899e09bd559bd63fd0c2814137df930be878622fd3ffcf566650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
77KB

MD5
1d3a2b6e8f68277cfc325dca5f68a25d

SHA1
745f592fd192118e546c77239717615a5f71d51b

SHA256
5aba8311c783dd6c60f2249baed274343974f426098e5316fe8e687f91eaeb28

SHA512
b17040bd7baf480b50f1b9e6d78bde4486ca5fae4d1527da4ab8ab72b526ff684802983b7914a5332dfb668d0f9e1ab73c49a26a3d49a4251947ae883dec3786

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
38KB

MD5
d30128e835ae7c1ec74f61292747b314

SHA1
d716614f70419389b43fb327660e09637b08227f

SHA256
fd09cb2023d0ec7c5ad29a0b4c1553de8c8273bfcebd15b5ff8f858cf08068b5

SHA512
6cbada272d685e7d7890cf02bde769018984a1c4cd3bc3bc8c5f149f3253a777056c1edec6ac8c3197143e0fd814581e4c247088c9c90c326661e7de001e8c87

Download Submit
\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
66KB

MD5
b4d5ec9713e432c2dd9ae83f4dfece2e

SHA1
75760825b83f81e1dc8b7062f254d16ea71a078d

SHA256
11c267dc0383bf37c2fbe72f8c9b089b81e5518153cf654d46bf7f2cfff36f5b

SHA512
41196734eacf53ad064fb060cd2adf37df87cdcb52a5a10ccb7fd173b38c8793c67d75d48759ecee3a86ef6971398e0b2a73162f27df10004ccdac7711329d8e

Download Submit
memory/1896-7-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1896-1-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1896-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3056-15-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/3056-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing