22100a6a2b8fb7d43dc6a496c56c9c295a6ddb9f24b8cd809398ba919af7b58a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe
Size

43KB
MD5

260931d306915f4970bf1e9a3f0fff0d
SHA1

f12cfc08c9b037320bb6a10923213a8a54071d13
SHA256

22100a6a2b8fb7d43dc6a496c56c9c295a6ddb9f24b8cd809398ba919af7b58a
SHA512

a6452148b98b57e75c24aa24d30acdce7217214d82aa54602f091e0b19ed2f7e41506e8b74674618080a955612de428e906fb11aece570152ee3c81103d8850d
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqh6/aDU:6j+1NMOtEvwDpjrRf

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral1/memory/2076-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1
behavioral1/memory/2076-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Local\Temp\misid.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2076-15-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2544 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe

pid process

2076 2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2544	misid.exe

pid	process
2076	2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe

description	pid	process	target process
PID 2076 wrote to memory of 2544	2076	2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe	misid.exe
PID 2076 wrote to memory of 2544	2076	2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe	misid.exe
PID 2076 wrote to memory of 2544	2076	2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe	misid.exe
PID 2076 wrote to memory of 2544	2076	2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_260931d306915f4970bf1e9a3f0fff0d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
43KB

MD5
1ec55bd243100042ad82856701f83907

SHA1
0974b394e1cd0a458859c2d2b7a032cfaa784b11

SHA256
ec837a03c1d38d8926d4d0acf7f49bafc63117364c951a685d2bbe86eeee24a7

SHA512
c22498bc3d6d9ce50314215b195d8f0b13650bf11da389abd2a77b0414ffd674f3e6c7a06d54bbed8084eb6d6149fe7cae1ea8861a6d8992a3dc1825aad98e53

Download Submit
memory/2076-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2076-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2076-9-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2076-2-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2076-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2544-17-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2544-24-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2544-25-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download