e78a72d730876000e926f756d7374363b9ee548bcca008007275bbff61fbb9b7

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe
Size

57KB
MD5

43ab96935a07e8eae7aec9a70a89e411
SHA1

7d0c92dc7ce800deb15991e82da13e168070b1f3
SHA256

e78a72d730876000e926f756d7374363b9ee548bcca008007275bbff61fbb9b7
SHA512

13bb3a907b8203655fe9ea3137d9d057d756867fa5a32ef7073d80511ff5fefdf9def27d5eedbc9532bb1052283d0ad403e84fdfec9a9985f71c98de95c976a7
SSDEEP

768:zQz7yVEhs9+syJP6ntOOtEvwDpjFeV0ZOfcpyv:zj+soPSMOtEvwDpj4yW

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d000000012321-14.dat	CryptoLocker_rule2
behavioral1/memory/1288-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2964-25-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000d000000012321-14.dat	CryptoLocker_set1
behavioral1/memory/1288-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2964-25-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000d000000012321-14.dat	UPX
behavioral1/memory/1288-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2964-25-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2964	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1288	2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d000000012321-14.dat	upx
behavioral1/memory/1288-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2964-25-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2964	1288	2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe	28
PID 1288 wrote to memory of 2964	1288	2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe	28
PID 1288 wrote to memory of 2964	1288	2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe	28
PID 1288 wrote to memory of 2964	1288	2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_43ab96935a07e8eae7aec9a70a89e411_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
57KB

MD5
58db1f290cef0b45980631b01744fff1

SHA1
5f7f4013721bd8c79bad1e27ad830ab2d5bdd0f9

SHA256
88f9391c46584a113d1f35aa6e54113e321e304dde85ac932d645c1fb3f12d8b

SHA512
fe5e48ec7e84e6540c69547cee8439999b9a5fecb8a01b8da1689a4785e2d929381ce2f0477fe41412137dc3c55ea8863b973efa5d4d5747751459718547a4a9

Download Submit
memory/1288-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1288-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1288-2-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1288-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1288-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2964-17-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2964-24-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2964-25-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download