cdbf18661e8488a8d4302eb1d68759e0899b96d858a3188a966fd81f1654825b

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe
Size

52KB
MD5

15621cf513362a3845e4c8846821258a
SHA1

47ae3c87f6eddf506d22a466a77b126d611aeb87
SHA256

cdbf18661e8488a8d4302eb1d68759e0899b96d858a3188a966fd81f1654825b
SHA512

71d894e5714e67b968034d3243c223a53f9283bc618b57af0bc69013f311e2bc746cdc76632668e1de49c72c267a210754bda129cd5d868a35abb82e3fcb75b1
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdO5g:ZVxkGOtEvwDpjcS

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120dc-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2772	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2772	1504	2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe	28
PID 1504 wrote to memory of 2772	1504	2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe	28
PID 1504 wrote to memory of 2772	1504	2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe	28
PID 1504 wrote to memory of 2772	1504	2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_15621cf513362a3845e4c8846821258a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
52KB

MD5
a917e59de404400ca7528e1d5838bc2e

SHA1
ba4f39ad2dd87ee8086dd8902ae297749073cbce

SHA256
41103d42dbf95d05728d69d88431c0b87a6d4113bb29d95eb1ef8f232385a91d

SHA512
2377744a4ae63daab5c81cf22513dea2471c4687c7b97c672802cc76a16b4d653a23aa5a3e0e2345e6137c8c71c4a0acb327fd73da89d8fc8b54c1d4eb7c5b5a

Download Submit
memory/1504-1-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/1504-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1504-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1504-3-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2772-17-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2772-16-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download