dc41d72add5996bf0d8607bfeecc6abaa2cf090269635d91fca05ddb7bb4319c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe
Size

35KB
MD5

1db5734ab6ed28ad1dae234a4ad67f14
SHA1

0107e31ee00e9f14ee7192661278a2da74baa684
SHA256

dc41d72add5996bf0d8607bfeecc6abaa2cf090269635d91fca05ddb7bb4319c
SHA512

063567b696bf217fcb1675612ac9057589588155f8df4c73142d00ef746aa798f9b219c9770d3c0841d2231252b8b8711b936ffc77741d31c75974ecd86fe08f
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen7c8:bxNrC7kYo1Fxf3s0c8

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001221f-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2536	pissa.exe

Loads dropped DLL 1 IoCs

pid	Process
1564	2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2536	1564	2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe	28
PID 1564 wrote to memory of 2536	1564	2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe	28
PID 1564 wrote to memory of 2536	1564	2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe	28
PID 1564 wrote to memory of 2536	1564	2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_1db5734ab6ed28ad1dae234a4ad67f14_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
35KB

MD5
8065957bd0227135a3bf79cedccc7a99

SHA1
564a45e056de4bd76dc147c1fa4d536ca9a0cdc6

SHA256
bfa82c1e59ce0bcb2e553bd0d08266e55c58ae960adca6c17adb74c135910f49

SHA512
13676ac85dc0a34e35663621b8883abd4cd5733fd7854ca2932aea11034b9eb8ef5f233c3a60bdb9c7471253d389c625ef461c4de3832935f8e9ca20fc237275

Download Submit
memory/1564-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1564-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1564-8-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2536-15-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2536-16-0x0000000001C80000-0x0000000001C86000-memory.dmp

Filesize
24KB

Download