1f0bb7baa46d372378cdc2ce5bf68eb92c8e3846aed02bea04edffe9f85ac8cf

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe
Size

86KB
MD5

4a22f436b886b68a177230cd3c9c88df
SHA1

79c937500f708f73877b86ad2d582aa33abbbecf
SHA256

1f0bb7baa46d372378cdc2ce5bf68eb92c8e3846aed02bea04edffe9f85ac8cf
SHA512

08734911dc54c265c7915c426a4aefed58ec57a008eca1e82f8ababda1a4cf04d49b0cb5700198b9e6abda293e4096c894c6335596378cd6017610695bd5b7c5
SSDEEP

768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUfFKazNclMjNUvAcl:i5nkFGMOtEvwDpjNbwQEI8UtzNcO8Acl

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1384-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x00080000000120f8-11.dat	CryptoLocker_rule2
behavioral1/memory/1384-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2668-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2668-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/1384-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2668-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2668-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/1384-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00080000000120f8-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1384-14-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2668-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2668-26-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2668	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1384	2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2668	1384	2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe	28
PID 1384 wrote to memory of 2668	1384	2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe	28
PID 1384 wrote to memory of 2668	1384	2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe	28
PID 1384 wrote to memory of 2668	1384	2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_4a22f436b886b68a177230cd3c9c88df_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
86KB

MD5
5f04b0b1faefab75ceb5f9b00da5ac4c

SHA1
a69102e0c0fa8701499e0ce257f86fcb0456d911

SHA256
f96ee2978fd69ea0c6e913017ccd27fed54610c28a05e2517fb0f0a6c30b08f5

SHA512
8c25f757b95e13aa018c1d83527d2ac0b778cb862854d9a8da4deddd9b609177c4c08e8480a23ca1badb133e8af635b035f6c93c5c5b0d32155195dd9c866f07

Download Submit
memory/1384-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1384-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1384-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1384-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1384-16-0x0000000002480000-0x000000000248F000-memory.dmp

Filesize
60KB

Download
memory/1384-14-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1384-28-0x0000000002480000-0x000000000248F000-memory.dmp

Filesize
60KB

Download
memory/2668-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2668-19-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2668-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download