93286db839e47c53d166e7a980cf0fe75183dc68af5754635be6d005a39a7ce9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
Size

84KB
MD5

b3ba0acdc18155980e29b9ceb79f3953
SHA1

710dac50cc9a1b07294c72fbc9a1d6d9c6f355f4
SHA256

93286db839e47c53d166e7a980cf0fe75183dc68af5754635be6d005a39a7ce9
SHA512

6154f470ea02fa513254df249df6c528f94bfcf87b65121fcdb8f1c9104fc0df0d8c75585617e04e93726b1b8077520d9c2832e3cf35d1be74037a04b62411d0
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfWafHNBH:vCjsIOtEvwDpj5H9YvQd2v

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

1996 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe

pid process

2824 2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1996	misid.exe

pid	process
2824	2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe

description	pid	process	target process
PID 2824 wrote to memory of 1996	2824	2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe	misid.exe
PID 2824 wrote to memory of 1996	2824	2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe	misid.exe
PID 2824 wrote to memory of 1996	2824	2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe	misid.exe
PID 2824 wrote to memory of 1996	2824	2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_b3ba0acdc18155980e29b9ceb79f3953_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe
Filesize
84KB

MD5
86bb4bb5b76b5657161973d2e13a63b7

SHA1
8e82d1a5912023780245b14a7e1a7d13814c4c74

SHA256
400a825e6506744b6122bea932445574609e1ef4a4736de2da173a07ec4b0b2c

SHA512
6e5b3b4fc8ba6b57a1ff623b05774922f06454f3626fc1ab499263ad4f17c12f6f9051bafd46a5db63dd5381d7488415e06f89bb3f0b3672498932f85115c596

Download Submit
memory/1996-15-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1996-22-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2824-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2824-1-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2824-8-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download