f16ec6a830121acd2f9fe4bc8c6834cef010578c005d9a10d827d57277e1bbd6

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe
Size

125KB
MD5

78a5ec487ac4aeb048290ea99d8a2a00
SHA1

8484365b02d28182721d84d66d42a991005d9a40
SHA256

f16ec6a830121acd2f9fe4bc8c6834cef010578c005d9a10d827d57277e1bbd6
SHA512

f70b8d8d64564868270573c2d965532ddaa006f747027e02610d1278bf34990af8208ad568d0165d8e1751091460fc17dfc715e6fb6467a0806307db68261c9b
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfIuBKLUYOVbvh//Lq:vCjsIOtEvwDpj5H9YvQd2R8

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012246-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012246-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2676	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2676	2868	2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe	28
PID 2868 wrote to memory of 2676	2868	2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe	28
PID 2868 wrote to memory of 2676	2868	2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe	28
PID 2868 wrote to memory of 2676	2868	2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_78a5ec487ac4aeb048290ea99d8a2a00_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
126KB

MD5
cafe728aa6dfbb957482d90ef29748f7

SHA1
cd77a63f9c1bd9f7a3f927374fe67d8fa387ab8a

SHA256
9a35567c2517c36b1f8fe52d1a5120b42deffd67abb64dd8d7bdc5ec68f3f719

SHA512
6576f6dc4f51ca8f5aa151c50b49e5cf17fe516d0f9e12d9f9c36fcba1bf096132bc00d7154d4ebea1409b6d93a89a50d632558b699d7659691002347451e91b

Download Submit
memory/2676-15-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2868-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2868-1-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2868-7-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download