1efd7e2e68214d7ed0a1688c1bd377198e314e1fe21553a4bc14c67546900346

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe
Size

51KB
MD5

d3d645292b962e49b6082fdde5c9fa37
SHA1

361ebae98f11944a6edd7bca02482761c2c8f97f
SHA256

1efd7e2e68214d7ed0a1688c1bd377198e314e1fe21553a4bc14c67546900346
SHA512

7468458f211d55bf86cc623be4a6356107770ef0767ba0abb48a910b913bcc3bf0a8e22eeca6057ad720f1930f385abf2058f57f9c30b25543760192215a55a2
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPhqlcnvhx5/xFRHnzv:6j+1NMOtEvwDpjr8hhX9L

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012251-15.dat	CryptoLocker_rule2
behavioral1/memory/2968-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2120-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2120-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000a000000012251-15.dat	CryptoLocker_set1
behavioral1/memory/2968-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2120-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2120-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a000000012251-15.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2968-14-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2120-16-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2120-26-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2120	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2120	2968	2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe	28
PID 2968 wrote to memory of 2120	2968	2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe	28
PID 2968 wrote to memory of 2120	2968	2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe	28
PID 2968 wrote to memory of 2120	2968	2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_d3d645292b962e49b6082fdde5c9fa37_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
51KB

MD5
f84f7b1d5ae342d432c5e7b7b8548fbf

SHA1
f4f87f4ab5aa32849a8688feb56497201e760f94

SHA256
755798bb9ae68e72ddd38de0d1944995430df8eb05cab48a759e81770a2ef810

SHA512
129e881fd76eb6c353805dbec52ea93a97a2417233e2a79f274b1b2be25a1719ea66614308aa7cd4f31e047e68789630a8d1248469b0905ba2884f9aeef23d13

Download Submit
memory/2120-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2120-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2120-25-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2120-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2968-0-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2968-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2968-1-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2968-3-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2968-14-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download