79af69e3a7979d32a8ced70e388457a666cec9ea4cc745d43e004dd8f5d55cf0

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe
Size

122KB
MD5

195ff11e963fc9646e20559a896fff7a
SHA1

72933aa77b5126259ab79697185e9d9847b3b918
SHA256

79af69e3a7979d32a8ced70e388457a666cec9ea4cc745d43e004dd8f5d55cf0
SHA512

76b00fa96ddc0bb0ff9a07fd44e73f4893583e6f9984fdba697150f2bccc1651c7e59c229ff02d6d4fc1fdd84026f147650ab802e52f689da04a7e13eeedacf0
SSDEEP

768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ7uyA36S7MpxRIIXVe3mU9TYwlOBTZ+mW:gUj+AIMOtEvwDpjNbwQEIPlemUhYps

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-22.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-22.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2756	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2448	2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2756	2448	2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe	1
PID 2448 wrote to memory of 2756	2448	2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe	1
PID 2448 wrote to memory of 2756	2448	2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe	1
PID 2448 wrote to memory of 2756	2448	2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe	1

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_195ff11e963fc9646e20559a896fff7a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
123KB

MD5
28e37d5ce3b7e2d7435d59a69447d1f3

SHA1
2d40aa57a95703ce76019bba38bf2b425c471420

SHA256
5af58657dbad47e6e1cde2ee5e3643be1ba3cb4f8f07c0bb0cd3fc555d5abbfb

SHA512
a1f031faf993021abc9cb90264d2ae92bfd1b577e04d4a120b5088a692b49a0a383bc19b9d47124cff393cb83472886c841d1b08820879a1c5e2c51c456d9408

Download Submit
memory/2448-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2448-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2448-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2756-21-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2756-15-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download