299acd89e5b70b9e97724b1658e683d42ee141d5fb4786002eee9f04c22ffbe7

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe
Size

126KB
MD5

e875c2eb739304c1b7605df3bacbcff1
SHA1

217e666276b4416df4f15badcffcfe15db18c6a1
SHA256

299acd89e5b70b9e97724b1658e683d42ee141d5fb4786002eee9f04c22ffbe7
SHA512

9cc5823228a630802fcb1e6f2f974453dfb40743a2775d4e6145f46ff15544eab6933483a6bd4c2372b8b00ca1724f03a38a3ba1836239bc56e8dc968883ca2a
SSDEEP

1536:gUj+AIMOtEvwDpjNbwQEIPlemUhYwkkxGBpG:vCA9OtEvwDpji

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1272	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1272	1460	2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe	28
PID 1460 wrote to memory of 1272	1460	2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe	28
PID 1460 wrote to memory of 1272	1460	2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe	28
PID 1460 wrote to memory of 1272	1460	2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_e875c2eb739304c1b7605df3bacbcff1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
127KB

MD5
a7bd03a883968d4c40e56e4194c02d36

SHA1
5f78cf5520d96757e855144672b4da3333e3c247

SHA256
7a7ccbc8e118220a0fbe5ae063265e9e89f68cf9a1887085c21f7f3b7dda8246

SHA512
80ad7cb9dc39a415f6e9ea3fe22ba3202ec99803d6f4a8fec810bddcda9d9f309fa1257d9f83d158a65b16a52524f38b5c9f33f042c06d4caf6b9a45c98ccba5

Download Submit
memory/1272-15-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/1272-22-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1460-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1460-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1460-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download