862e05a33b80e4bc70e5afb64cf742930c2b54689d8743f5d51aadee1c8df598

General

Target

2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe
Size

40KB
MD5

ddc0b1aef25ddb1524803ffaede3323c
SHA1

dc84e40cf619455fbc36a5b38d228a59c4dffc67
SHA256

862e05a33b80e4bc70e5afb64cf742930c2b54689d8743f5d51aadee1c8df598
SHA512

e5255750b2264d6dc025c2de8b8154787155b4983c75fcf7a5f00cf7307146f64eb257cb33a6ffbcc9512bba015386c2b7a43e7f4db8485fac640ce9798f7fa5
SSDEEP

768:TS5nQJ24LR7tOOtEvwDpjGqPhqlcnvhx5/xFRYzv:m5nkFNMOtEvwDpjG8hhXyzv

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/5032-0-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000800000002320c-13.dat	CryptoLocker_rule2
behavioral2/memory/5032-18-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3896-17-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3896-49-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral2/memory/5032-18-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3896-17-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3896-49-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral2/memory/5032-0-0x0000000000500000-0x000000000050E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000800000002320c-13.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5032-18-0x0000000000500000-0x000000000050E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3896-17-0x0000000000500000-0x000000000050E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3896-49-0x0000000000500000-0x000000000050E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	misid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 0400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 19000000010000001000000082218ffb91733e64136be5719f57c3a10f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df1090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb40400000001000000100000001b31b0714036cc143691adc43efdec182000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	misid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c0000000100000004000000001000000400000001000000100000001b31b0714036cc143691adc43efdec18030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d462000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b402340b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000030000000761613f4cd8607508c3d520fbefe68773735fc73746f42a9fd6254ba3b72f0047994e5af57677cf6d2c1965984965df119000000010000001000000082218ffb91733e64136be5719f57c3a12000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74	misid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3896	5032	2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe	89
PID 5032 wrote to memory of 3896	5032	2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe	89
PID 5032 wrote to memory of 3896	5032	2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_ddc0b1aef25ddb1524803ffaede3323c_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system certificate store
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
41KB

MD5
c52fa354401eff42f7cf0bf7de3039b3

SHA1
ba880d3dfcf072592e7973a0e986c6506e92dd4b

SHA256
26de0ba77ae07fe4ed9324d884e595493a54c45e9cfb2db093ca0eedf810728a

SHA512
8e4a817922c10910648db06f725a6443064622206d458f06899d421f6215d7e3e1f2dc31b1d04d5b492487555aa1a433c2029a71654810b982074f4052742be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\misids.exe

Filesize
315B

MD5
a34ac19f4afae63adc5d2f7bc970c07f

SHA1
a82190fc530c265aa40a045c21770d967f4767b8

SHA256
d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

SHA512
42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

Download Submit
memory/3896-17-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/3896-20-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/3896-22-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/3896-49-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/5032-0-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/5032-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/5032-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/5032-3-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/5032-18-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing