e8ca54ffc41676c706571f4f39c0b066b44d74c4b17fae8a95aa5f8ccd0cad29

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe
Size

81KB
MD5

296df5c558601cbb1bd9d6c99d98616e
SHA1

4305cb817dc1b459615d3130f3350cd22ff47a29
SHA256

e8ca54ffc41676c706571f4f39c0b066b44d74c4b17fae8a95aa5f8ccd0cad29
SHA512

2ba7d1f8b077a923fd6995dec7bf7329c9853502c64c970ce010183e8f64c5c79aa269777485fea5990337e190a4b8bac4eb4cd090bcc09b4da5c3719ad54a19
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfWafHuX:vCjsIOtEvwDpj5H9YvQd2S

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015f01-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015f01-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2212	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2212	2340	2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe	28
PID 2340 wrote to memory of 2212	2340	2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe	28
PID 2340 wrote to memory of 2212	2340	2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe	28
PID 2340 wrote to memory of 2212	2340	2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_296df5c558601cbb1bd9d6c99d98616e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
81KB

MD5
e50da941ffbb39e3b2f6b77826350c8f

SHA1
55012231368185c570046be800e1db1e35c00323

SHA256
3363dbce9a45e1371f785cc0f2044765f310b4c5208831a1afdfe123e8f1db63

SHA512
71df8137fa6694972f1b95159bd529722c5e029e49da1bfc24f85f76d356b8f5348830624b3d311015c78186ebf7a667414274509ee59f21303042d728ad2efe

Download Submit
memory/2212-15-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2212-22-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2340-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2340-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2340-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download