a1c390d688d671a22a75cade4d106b2e5661a834389b3769a12a72b10c7373e3

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe
Size

64KB
MD5

196409386e4b39976b0a4357ac6b49eb
SHA1

be523a9c34e91b64bc0c732b40e1ff87f1b6682d
SHA256

a1c390d688d671a22a75cade4d106b2e5661a834389b3769a12a72b10c7373e3
SHA512

014fa6f2bb32df2f102611cb20a681c6e68d13996fc4c555858ef0c7f159dfb12d8f9ee5826420b67ce8062eeb0c7aad8f0b340223a87a11ed26b65c6e345cb1
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEO10Km9ur:6j+1NMOtEvwDpjr8ox8UDEy0Kmgr

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/880-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x0009000000015c71-11.dat	CryptoLocker_rule2
behavioral1/memory/880-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1936-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/880-12-0x00000000023A0000-0x00000000023AF000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1936-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral1/memory/880-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x0009000000015c71-11.dat	CryptoLocker_set1
behavioral1/memory/880-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1936-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/880-12-0x00000000023A0000-0x00000000023AF000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1936-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral1/memory/880-1-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0009000000015c71-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/880-15-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1936-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/880-12-0x00000000023A0000-0x00000000023AF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1936-26-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
1936	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
880	2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1936	880	2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe	28
PID 880 wrote to memory of 1936	880	2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe	28
PID 880 wrote to memory of 1936	880	2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe	28
PID 880 wrote to memory of 1936	880	2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_196409386e4b39976b0a4357ac6b49eb_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
64KB

MD5
89bab7477310358b32cef218fa041250

SHA1
3bd804ff5d24680b2525295703c08b006ae129f1

SHA256
e30bc5475e949cbc77f9f9abdedeae4927b64e7a3dfb19f29bcccc6fdbd1cdc8

SHA512
10bebb23d36bdf821b9e3edfc7bcf14514339db36f694bdff9ab1d7495bced786edde4ee5d6e5af06b054705a62dd77be8121c2bed1f6d664dfcaf5bc84ad3b9

Download Submit
memory/880-1-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/880-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/880-2-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/880-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/880-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/880-12-0x00000000023A0000-0x00000000023AF000-memory.dmp

Filesize
60KB

Download
memory/1936-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1936-19-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1936-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download