ee5717a297721355c15df04f2e67112691619b4949f6a488ea2e947cb11dc927

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 19:51

Target

2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe
Size

41KB
MD5

2da8b5e99c69c9db59205dfe03b6eb02
SHA1

2b1073efcef1405dc9139504847e8e6dec5efdb3
SHA256

ee5717a297721355c15df04f2e67112691619b4949f6a488ea2e947cb11dc927
SHA512

7e9a4f8eb5c6f5c74e85006c947badff7baffba0f305e76b8533714fc15afc612cc4a5712716afc32694159f08d9c081cd99086ef29f56dcb057826259727cc9
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen754XcwxbFp1I:bxNrC7kYo1Fxf3s05rwxbF7I

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pissa.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

pissa.exe

pid process

2808 pissa.exe
Loads dropped DLL 1 IoCs

Processes:

2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe

pid process

2184 2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2808	pissa.exe

pid	process
2184	2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe

description	pid	process	target process
PID 2184 wrote to memory of 2808	2184	2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe	pissa.exe
PID 2184 wrote to memory of 2808	2184	2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe	pissa.exe
PID 2184 wrote to memory of 2808	2184	2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe	pissa.exe
PID 2184 wrote to memory of 2808	2184	2024-02-12_2da8b5e99c69c9db59205dfe03b6eb02_cryptolocker.exe	pissa.exe

C:\Users\Admin\AppData\Local\Temp\pissa.exe
"C:\Users\Admin\AppData\Local\Temp\pissa.exe"
1⤵
- Executes dropped EXE
PID:2808

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
42KB

MD5
96f9b03384ea553885882b6378acf564

SHA1
2f454b0bda99bf8b4a0e6505d2f3a0852e4b4490

SHA256
00b04b9233479fd6929c8f442f4e32433ba79624e96ec2428e996a5d550ed40c

SHA512
c20c0ec4cd30f7c841e90cb47ae5fa4d3a88af6d3dfade7735df97d224416bff6b303cfe5c0efc9b021845c17f5832e18a7b09491ff7352d7cd132480a6bcdf2

Download Submit
memory/2184-2-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2184-1-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2184-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2808-19-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2808-15-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download