Overview

overview

10

Static

static

10

2024-05-19...er.exe

windows7-x64

9

2024-05-19...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-19_d01f08169ca42213c00b812cab600fed_cryptolocker.exe

  • Size

    66KB

  • MD5

    d01f08169ca42213c00b812cab600fed

  • SHA1

    06d66ab599c8a2d1b93e6c19faab63bb939ddb1e

  • SHA256

    7c724da4ee2ced980a27bef2ebf2489c006b851fe89a760bec3ba60e2c1968d9

  • SHA512

    e15d3317a601ddaa8bd5a8c82a7f277250be46b3b3e60921367d8d0a53daddceb91141cf7f393995e4917611f742b1e34dbc341cdb1f2e33970806ed296321b8

  • SSDEEP

    1536:Tj+jsMQMOtEvwDpj5HmpJpOUHECgNMo0vp2l9tMPvdfGyG:TCjsIOtEvwDpj5HE/OUHnSMYn

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 5 IoCs
  • Detection of Cryptolocker Samples 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-19_d01f08169ca42213c00b812cab600fed_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-19_d01f08169ca42213c00b812cab600fed_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe
    Filesize

    66KB

    MD5

    57ffcec642a0c5d1e4d4c0a79fe87f65

    SHA1

    6b53536476d4d0f96a13bcc20484186fef3dbaf5

    SHA256

    44a087d1c375cae07eb888f4dd16ea13caad77c7782f42bb49a5487697d10eaf

    SHA512

    060d301093eefba0c8cd4915914d3afeab736676f9e57b84d8be644e972752128685fb7ccc1cf76a5cbabd487af100d1abf726ddcb4a2c3aaad89da009c1524d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\misids.exe
    Filesize

    315B

    MD5

    a34ac19f4afae63adc5d2f7bc970c07f

    SHA1

    a82190fc530c265aa40a045c21770d967f4767b8

    SHA256

    d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

    SHA512

    42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    Download Submit

  • memory/4724-17-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4724-48-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4980-0-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4980-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4980-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4980-9-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4980-18-0x0000000000500000-0x000000000050E000-memory.dmp

    Filesize

    56KB

    Download