53d212e3978c08871d550e51772fa2b2b8772ae981d68d3cfec688a5b5bca771

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe
Size

50KB
MD5

dacab0cbbcfadff0292eb222ce7d9ece
SHA1

390c4c64d99245bdb44cf46abd1030268dfe0e7e
SHA256

53d212e3978c08871d550e51772fa2b2b8772ae981d68d3cfec688a5b5bca771
SHA512

89ad84cd7729e1478b052d68e5e2f026f0a989c2dab5a8a35b79ee986d8cdf4d5f5b11e460326d764c9edc290918072c5ef136cc690b8d98fab6f18c914e01d5
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ15x8lGB:ZVxkGOtEvwDpjcpGB

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122eb-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2880	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2880	2412	2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe	28
PID 2412 wrote to memory of 2880	2412	2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe	28
PID 2412 wrote to memory of 2880	2412	2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe	28
PID 2412 wrote to memory of 2880	2412	2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_dacab0cbbcfadff0292eb222ce7d9ece_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
50KB

MD5
706020f340fec2f9604ba00c65d4bae9

SHA1
e4af4ed14c30a607c5a793c0b5190be307e7190c

SHA256
c66033459da0178ef3716143287a6471703ca8f270be41df72873c56e6cd3275

SHA512
85aa8b726bcde2f04902bed58ad4019c5d29d272d2e6e7f7c5336a2fe9af1b8258dda2a38b1adecfde4b9e6ca6151255188c7ffd7ed79df1cef15cdb9da1ad00

Download Submit
memory/2412-2-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2412-1-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2412-0-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2412-9-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2880-16-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2880-23-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download