668f8d42b6ac0993917a28393f891e6cfd1ded8f76957ec9b1a0fa776da3a15b

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe
Size

45KB
MD5

1c2f56e15d142a59a72aa9ba81121895
SHA1

7c6bc0970571cec34c828e86cfe0cc3a2b749e51
SHA256

668f8d42b6ac0993917a28393f891e6cfd1ded8f76957ec9b1a0fa776da3a15b
SHA512

7838dbb1435cb3a004280b95ea1d8c70dee1f54c8e843d027e5d2781fc5d1e677078cf4b429940625b1f8dde651437185ef9b6a086e54e38e2c6cda098d842c6
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsK:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ1Q

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012255-14.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2000	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2000	2192	2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe	28
PID 2192 wrote to memory of 2000	2192	2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe	28
PID 2192 wrote to memory of 2000	2192	2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe	28
PID 2192 wrote to memory of 2000	2192	2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_1c2f56e15d142a59a72aa9ba81121895_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
45KB

MD5
bd2ec4b280a82a0d52bc733fa777ad43

SHA1
46dd463830a81d6d62ac5bf6f134beb55fd371ae

SHA256
55d77cc69ca115a90c648d15d66da32bdb98b0c726e260cb523927062cc68982

SHA512
a22b16c779f8a1462fb40e3eb74a3a5bc125f0f1a5a9bf0cc2e9a3570d62da6fb30c32f0d42d323c8ee648ec53ae6e7d51818b311749dfa0a511dd3416e4e9ce

Download Submit
memory/2000-16-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2000-23-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2192-1-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2192-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2192-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2192-9-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download