cd9412e7ae517800d253ccf5a6634bec9cd8a0447b20d4a6775efbe63e44bb20

Analysis

max time kernel
153s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe
Size

34KB
MD5

d63055413f868b154bb6fe65a40e1741
SHA1

fc5651962093750b1b27bfe76cae5abc14bae256
SHA256

cd9412e7ae517800d253ccf5a6634bec9cd8a0447b20d4a6775efbe63e44bb20
SHA512

ef71efbc13d325695ce7c86610fe214bd99fcfdf090b7baf594a91030d375faa940db2a1693052ff5d28a8e2233c704a3f213e515ddeec2fcccc2ad2929a1ae0
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen7cv:bxNrC7kYo1Fxf3s0cv

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012262-13.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2204	pissa.exe

Loads dropped DLL 1 IoCs

pid	Process
2504	2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2204	2504	2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe	28
PID 2504 wrote to memory of 2204	2504	2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe	28
PID 2504 wrote to memory of 2204	2504	2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe	28
PID 2504 wrote to memory of 2204	2504	2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_d63055413f868b154bb6fe65a40e1741_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
35KB

MD5
51a05dda9e1911d646d6bff5e28089b9

SHA1
88a3e14a9445e4af01d7c389fdc8332fc652c070

SHA256
cb6d6f8d879ede1e859ede4aeb8746704e202a37e78087d82d81e948ebe0f10a

SHA512
d1d0197db69eb65a9dfc0e34395d93e89845b0b48f6e713fba704a7b12f40537e32f150e2f75aba698bbdde06b8309406d47c3e26279e781f4c340a8056ca2cc

Download Submit
memory/2204-15-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2504-0-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2504-2-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2504-1-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download