cd870ceacaee02b031006a8f3bf5ab66973fc54a547cf6d88c33bc95f5ae2dea

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe
Size

38KB
MD5

7137d6e20f39c01693b01a9f674928a0
SHA1

bb00039e93822e76de3839b7e896b40eeec17438
SHA256

cd870ceacaee02b031006a8f3bf5ab66973fc54a547cf6d88c33bc95f5ae2dea
SHA512

6929024191ad3cc3ad5bef3d7066bef79da993eff695a98e7d4a98e89245e6213841d98e9321308b4011efe1f33374b6224a40cb6538ee634f267461ea21b7db
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLenUq:ZzFbxmLPWQMOtEvwDpjLev

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2768	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2768	2064	2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe	28
PID 2064 wrote to memory of 2768	2064	2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe	28
PID 2064 wrote to memory of 2768	2064	2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe	28
PID 2064 wrote to memory of 2768	2064	2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_7137d6e20f39c01693b01a9f674928a0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
38KB

MD5
ecb238db077c0a4740cd67a4a52262ce

SHA1
1cde09878c51b4e058cd52867cb53f1517b62d80

SHA256
fbeed062a95d0ecbc043a4e86c1f55ed5531aab4ec26727d753b82ba1d5105cc

SHA512
91d57ccc92876451e2b20242f93244d0ce40c40e61a8b01352ece8294ca98b1d4ee258ad1fbe181308965276823722e689e1bad1d506125457deab68615923e8

Download Submit
memory/2064-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2064-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2064-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2064-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2768-16-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2768-24-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2768-23-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2768-25-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download