dea18701649dc2d3da50985bca03e0a119fc10c0b405a6348948668b4bed7cd6

Resubmissions

28/03/2024, 15:36

240328-s193psaf97 7

28/03/2024, 15:33

240328-szmk1saf62 10

Analysis

max time kernel
72s
max time network
79s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
28/03/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe
Size

94KB
MD5

c0e42ec15f3798003ea6a5fe67b6a495
SHA1

3eacd64c509f06c3f52172d90055594f0a5dae37
SHA256

dea18701649dc2d3da50985bca03e0a119fc10c0b405a6348948668b4bed7cd6
SHA512

1db50f3ff0aa6ff6a38a47cb8c46c11a6952bfdf574fa7d1f5eab50ff1bc7867660e95b3e1d4183e7e3595782eec2a8c6ffd3c5216fa037d08be627627ca1c08
SSDEEP

1536:zj+soPSMOtEvwDpj4ktBl01hJl8QAPM8Ho6cRDjgx/+e:zCsanOtEvwDpjB/

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2440	misid.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4576-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000800000001ab26-12.dat	upx
behavioral2/memory/4576-14-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2440-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2440-53-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1104	POWERPNT.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4508	mspaint.exe
4508	mspaint.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1104	POWERPNT.EXE
1104	POWERPNT.EXE
1104	POWERPNT.EXE
1104	POWERPNT.EXE
1104	POWERPNT.EXE
1104	POWERPNT.EXE
4508	mspaint.exe
4508	mspaint.exe
4508	mspaint.exe
4508	mspaint.exe
1416	WINWORD.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE
1416	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2440	4576	2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe	73
PID 4576 wrote to memory of 2440	4576	2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe	73
PID 4576 wrote to memory of 2440	4576	2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe	73

C:\Users\Admin\AppData\Local\Temp\2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_c0e42ec15f3798003ea6a5fe67b6a495_cryptolocker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2440

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\ReceiveSave.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ResetDisconnect.ttf
1⤵
PID:2020

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\MountInstall.dib"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:5064

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

Filesize
2KB

MD5
f16ec15f470c58c962298438e8311a9f

SHA1
687939362a43e359177d929288994b2e9f0342ff

SHA256
dcb1e2d8c5bf4b8309f9d3cfde382090593c548d557bef35c5e01ccfc9f45b39

SHA512
3610b62eb89e2918448af8740bbb835efb3f2598a7f72445f99760aa4e4c386d4308ba6f7aa2dbb2726ad22c679031c7c2eeea2e1cfb4b6b8d672fbcb5f21e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
95KB

MD5
7d1a8bdb09ad06debb5b271225847562

SHA1
855b8916d0a6fa42588d47edea8cf04585b11241

SHA256
62d8229fc98ece7cb47e064afbae733a3236de4d8af4225ecfe1610a76015290

SHA512
d76f250766d093080fbcfef4d9cf696541ba398a8ddabd3f604fa5a19f620ac85d023cb25bb5af73da0a33b6c229cd08d58278090f9b1c825e1b82080c5a270c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
224B

MD5
e66d36cbcfd69fdf8db6e5c649137ef1

SHA1
c1ce08cca33347fe58f95f78f61c31ac6501f511

SHA256
15376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4

SHA512
78a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc

Download Submit
memory/1104-73-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

Filesize
64KB

Download
memory/1104-75-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-262-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-54-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-55-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-57-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-56-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-59-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-58-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-62-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-63-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-64-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-67-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-260-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-261-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1104-72-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-77-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-76-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1104-74-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-78-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-79-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-80-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-82-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-83-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1104-84-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1104-81-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

Filesize
64KB

Download
memory/1104-255-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-256-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-257-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-258-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1104-259-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1416-265-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-283-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

Filesize
64KB

Download
memory/1416-532-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1416-264-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-527-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-266-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-268-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-267-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-270-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-271-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-269-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-272-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-273-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-275-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-276-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-278-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-279-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-280-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-281-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-282-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1416-284-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-528-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1416-285-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-286-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-287-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-288-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-289-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

Filesize
64KB

Download
memory/1416-290-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-291-0x00007FFA4D200000-0x00007FFA4D2AE000-memory.dmp

Filesize
696KB

Download
memory/1416-294-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-531-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-530-0x00007FFA4DB50000-0x00007FFA4DD2B000-memory.dmp

Filesize
1.9MB

Download
memory/1416-525-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-526-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/1416-529-0x00007FFA0DBE0000-0x00007FFA0DBF0000-memory.dmp

Filesize
64KB

Download
memory/2440-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2440-17-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2440-18-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2440-53-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4576-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4576-1-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/4576-2-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/4576-3-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/4576-14-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download