af972236187f686b2a648a92adaef864cbb0298a2b9b6a5127bbe868d04dbce9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe
Size

69KB
MD5

e8e0355e4fce1a7a0185772e603f8d94
SHA1

ce9844aa3593f883097bcbf937db27f3b573ffe0
SHA256

af972236187f686b2a648a92adaef864cbb0298a2b9b6a5127bbe868d04dbce9
SHA512

d97598bc41bbcced5432d9f589e16fbc459674cd1747f4930438fa221f2646235597932123e3e0901b68cf05ebb623067ababd06f57b41d93f830ca6a920aadc
SSDEEP

1536:nj+4zs2cPVhlMOtEvwDpj4H8u8rZVTs97:C4Q2c94OtEvwDpj4H8z+

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1792-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral1/memory/3048-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3048-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1792-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3048-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1792-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\misid.exe	UPX
behavioral1/memory/3048-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3048-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

3048 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe

pid process

1792 2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe

pid	process
3048	misid.exe

pid	process
1792	2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1792-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\misid.exe	upx
behavioral1/memory/3048-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3048-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe

description	pid	process	target process
PID 1792 wrote to memory of 3048	1792	2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe	misid.exe
PID 1792 wrote to memory of 3048	1792	2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe	misid.exe
PID 1792 wrote to memory of 3048	1792	2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe	misid.exe
PID 1792 wrote to memory of 3048	1792	2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_e8e0355e4fce1a7a0185772e603f8d94_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
69KB

MD5
5d594936b47aebf7b7e0b600f324ca0e

SHA1
520fe5dc4a9fa7647461833cd7e070c97d727200

SHA256
2d1da0fda109644a22b29bda1166f9b945ec87549e8a0fdcc578551a5a9d11f5

SHA512
28c6e98e8e15fdf19bd698bc80126bf64a5765d90a61722dbf2f6029eb9d02990e2e0fea119ce697ce8277c0bef0d1ae24f1cef7caac7ddbb64c8a60322d64cb

Download Submit
memory/1792-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1792-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1792-2-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/1792-9-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1792-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3048-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3048-19-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/3048-26-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/3048-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download