0171d75735fdfb0b1283cc733a72de54bd3e735bbbc0ab0a5ba758e296b8bfed

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe
Size

38KB
MD5

9d906da2594e901abb65f2ea3ce95432
SHA1

16905136a19d94d1ed42a6f3566afec0346f8325
SHA256

0171d75735fdfb0b1283cc733a72de54bd3e735bbbc0ab0a5ba758e296b8bfed
SHA512

180bc583de353ee2a3e6454452d015f496fd58fd2c0c98b851e5be25398ec4a53d209439f89b1250efe9739d3b22ac508612a494bad8b7d38d7057897fc89e0e
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLenO:ZzFbxmLPWQMOtEvwDpjLeO

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012248-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2496	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2496	2160	2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe	28
PID 2160 wrote to memory of 2496	2160	2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe	28
PID 2160 wrote to memory of 2496	2160	2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe	28
PID 2160 wrote to memory of 2496	2160	2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9d906da2594e901abb65f2ea3ce95432_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
38KB

MD5
87e182c46640aa750df2b1d308f427f3

SHA1
89968b2785835e2e646141afa63527cf1c95f95d

SHA256
06337584a84280eb94aa51524a862d99dca964f023d3c9fb67ee3da77ae27dba

SHA512
50f6b2e3d4f86dbcd85f3e5f0546222a94ef6888a305cb7412ec0964464ecf969c253440aa2c08879d1e3e67cf4f672b8e5c89c7baa2d835d18090d88515d6af

Download Submit
memory/2160-0-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2160-1-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2160-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2160-9-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2496-17-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2496-16-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download