6b4d95cb045f393f4573e40405b2a39ae865d31de911b6bf35ae67071ce42995

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe
Size

47KB
MD5

ff060947d6ae1a0d8cd5ac4ff00d9d77
SHA1

107430f193dbc85988713e5d6bdb10dd6672ce2c
SHA256

6b4d95cb045f393f4573e40405b2a39ae865d31de911b6bf35ae67071ce42995
SHA512

798a877c9faa8dd240ed832d11778a18be43ca43a5f1ebd7a1fb448b55fc92a5981db6c03081b9ed3da1fa0f916cd2156aebdfc7efb5c86a74e1d19651475a82
SSDEEP

384:icX+ni9VCr5nQI021q4VQBqURYp055TOtOOtEvwDpjqIGR/hHi7/OlI0G/7Ioqbn:XS5nQJ24LR1bytOOtEvwDpjNbP/Moqbn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/memory/1724-8-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012236-11.dat	CryptoLocker_rule2
behavioral1/memory/2916-20-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 2 IoCs

resource	yara_rule
behavioral1/memory/1724-8-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2916-20-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 3 IoCs

resource	yara_rule
behavioral1/memory/1724-8-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a000000012236-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2916-20-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2916	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2916	1724	2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe	19
PID 1724 wrote to memory of 2916	1724	2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe	19
PID 1724 wrote to memory of 2916	1724	2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe	19
PID 1724 wrote to memory of 2916	1724	2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe	19

C:\Users\Admin\AppData\Local\Temp\2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_ff060947d6ae1a0d8cd5ac4ff00d9d77_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
47KB

MD5
de7852dc15936b92eec40dab65b9f986

SHA1
b1fd329591f69b39a6dd6cb167c8c7aec0a789b3

SHA256
bb56d12c2062f1a47c1a98147281535d5aaa3bbf51d7091fff104babd1e5ad73

SHA512
60db25c7c701191138e58940d2b7fcc8a5f741a7b9c646529917f77ee3b6677dc8f367530a94d2011081908612dfe6a6fa1f9204733726cf653368db8edc53da

Download Submit
memory/1724-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1724-8-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1724-1-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1724-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1724-17-0x00000000028C0000-0x00000000028CF000-memory.dmp

Filesize
60KB

Download
memory/1724-28-0x00000000028C0000-0x00000000028CF000-memory.dmp

Filesize
60KB

Download
memory/2916-18-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2916-20-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download