15c08bfc517bcf5d8fe5e801504e1edf1da893c8b76dc8aa25c3bfb39d542eac

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe
Size

78KB
MD5

aa01992c752cd5389bbf54168aa9537b
SHA1

facffa8a3c6b20e54258fd7fd1e4cd8decac887b
SHA256

15c08bfc517bcf5d8fe5e801504e1edf1da893c8b76dc8aa25c3bfb39d542eac
SHA512

fee7a5da10cf23599cc63a8f537545e17c0b30f353f72c7e69f06701dc6de14b6c4d8de5070ef33d57362c3bade8ec09ff38b3e83b8827d25a3cc7a9666c2647
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KEWTPP:ZVxkGOtEvwDpjcaxK

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001220d-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2420	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2420	1960	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	28
PID 1960 wrote to memory of 2420	1960	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	28
PID 1960 wrote to memory of 2420	1960	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	28
PID 1960 wrote to memory of 2420	1960	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
78KB

MD5
12bbb0ef2234d35dc8289df832f66730

SHA1
70b67f2c26295688b24c3012c886b94411cd99ce

SHA256
9c4e448209c504fc6cc22ce190edf214b1c45a746d289e6ae808a8d9e5e2ae67

SHA512
c99902a77d8f5014ef1e8da64ce16e0e9c39737c7bc1e59f946a64daff4a132b54a69cb3954ed86eca892f5004ffa03453ddfbdc709d395f84dcbf54e83700dd

Download Submit
memory/1960-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1960-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1960-3-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1960-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2420-17-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2420-19-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2420-16-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download