c81d4a024057972cd3e8c8829b34fd8685e51493c3f5d3aa14f2f54659cc08a2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe
Size

65KB
MD5

18b42dca86d3a8f4e5aa8bc4b6a3f2d6
SHA1

d71647602b66752c05763d2a12c22567206f3fe7
SHA256

c81d4a024057972cd3e8c8829b34fd8685e51493c3f5d3aa14f2f54659cc08a2
SHA512

d0040cc4b9a16e3b8d92a98deb3f990268b65d157e8b400df52ad810547c5c95473b6a2e3e2331d07afda2f0c103dbbbd37fe31e573b5fc99cfde557cb855ec4
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEO10KmJS:6j+1NMOtEvwDpjr8ox8UDEy0KmY

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012254-11.dat	CryptoLocker_rule2
behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000a000000012254-11.dat	CryptoLocker_set1
behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a000000012254-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2272	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2272	1504	2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe	28
PID 1504 wrote to memory of 2272	1504	2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe	28
PID 1504 wrote to memory of 2272	1504	2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe	28
PID 1504 wrote to memory of 2272	1504	2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_18b42dca86d3a8f4e5aa8bc4b6a3f2d6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
65KB

MD5
d890dc70c897c5d4c40170169cf716c0

SHA1
62f28357c361904f946c6813de41c954d9b8d87f

SHA256
fea7ae99a4a166f123665edce9a2866ffa33ab9da8467c5c2c529ab3ca3ed66d

SHA512
e284e7802216e46546f1be8a67b93cfba2226b08064e486b3cbfab43b988ab08d7059ebfe443fe3f1754f25fb508ef37e3cc356716a1de1fc3e9167f53729d4a

Download Submit
memory/1504-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1504-1-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1504-2-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1504-3-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1504-12-0x0000000001FE0000-0x0000000001FEF000-memory.dmp

Filesize
60KB

Download
memory/1504-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2272-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2272-19-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2272-26-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2272-27-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download