afd9c11cbb96c86bc9a7a30a1eca4d4e07717de5d46ded670506bbe96692a9a2

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe
Size

70KB
MD5

36beed9a41982233b61be0d5b076285f
SHA1

5297e6263b0d6a221d9d465a7f0c5a4d0828013e
SHA256

afd9c11cbb96c86bc9a7a30a1eca4d4e07717de5d46ded670506bbe96692a9a2
SHA512

e8d1cb9aceccb4581ae166717f99aa178ed65608682e309310897e1d300686d2d24cf2b3bd96c0919b470e4f20d4e4420fb4a6c5d6dc7a64bb4ed09f0d110256
SSDEEP

1536:nj+4zs2cPVhlMOtEvwDpj4H8u8rZVTs9z:C4Q2c94OtEvwDpj4H8zO

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x0008000000012265-11.dat	CryptoLocker_rule2
behavioral1/memory/2960-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1268-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1268-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/2960-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1268-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1268-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x0008000000012265-11.dat	UPX
behavioral1/memory/2960-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1268-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1268-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
1268	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0008000000012265-11.dat	upx
behavioral1/memory/2960-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1268-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1268-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1268	2960	2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe	28
PID 2960 wrote to memory of 1268	2960	2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe	28
PID 2960 wrote to memory of 1268	2960	2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe	28
PID 2960 wrote to memory of 1268	2960	2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_36beed9a41982233b61be0d5b076285f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
70KB

MD5
31eb5e7f64eb551cae5ffef422b625d4

SHA1
aebb45c4073511c2774cb89875ce0d73ef67876d

SHA256
6621efe23b8197ddbaa932f99e4744ef30e497965b6a6e0a15e398a099f713e1

SHA512
a5007cc7d602b119bef24dae8bbc2af16b036b268c8a5bcb4665d604341aacbfbd0117a94e5bb1fcaf56ace03c902cc046e07ebd8140393245dbd1c368954319

Download Submit
memory/1268-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1268-18-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1268-25-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1268-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2960-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2960-1-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2960-2-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2960-3-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2960-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download