87b8d69e335b4c6d9cc170e92ee73bd3120617e59886eac88b5f457fca7a08c2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 15:56

Target

2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe
Size

64KB
MD5

bdaf33063061abd98c923be2067a65f2
SHA1

f2a775f982f4b76e38d1bde8e169b92d84850129
SHA256

87b8d69e335b4c6d9cc170e92ee73bd3120617e59886eac88b5f457fca7a08c2
SHA512

7cfee482b74c22885f59645776d411a803c9d3a84d2ad638b91ae5cf6dd164f96b9f055728ff8c3f275f3d950eb7667b1ba0877de9f8ba03a673492cce885217
SSDEEP

1536:Tj+jsMQMOtEvwDpj5HmpJpOUHECgNMo0vp2EMTIzYf:TCjsIOtEvwDpj5HE/OUHnSMo

Score

9^/10

Detection of CryptoLocker Variants 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral1/memory/2020-16-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1688-26-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1
behavioral1/memory/2020-16-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1688-26-0x0000000000500000-0x000000000050E000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

1688 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe

pid process

2020 2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1688	misid.exe

pid	process
2020	2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe

description	pid	process	target process
PID 2020 wrote to memory of 1688	2020	2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe	misid.exe
PID 2020 wrote to memory of 1688	2020	2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe	misid.exe
PID 2020 wrote to memory of 1688	2020	2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe	misid.exe
PID 2020 wrote to memory of 1688	2020	2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_bdaf33063061abd98c923be2067a65f2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1688

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
64KB

MD5
46f6a4169324199c50f4a88fe6fb17ac

SHA1
c60871c95469f78245d36ca7e4c0bf10bc94fa95

SHA256
4043df91266f153a9e8aaaf1adfb9fad3ba95e116ff32761e84716cadf17082c

SHA512
27856286a73acd5f76ebe4a82c102acbad8e51333086447792dc77e4324120cc646a852bc47f7ce0f976f4b6a3d1d26a77d64f2a1248ce235d8c79c921fa448f

Download Submit
memory/1688-18-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1688-19-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1688-26-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2020-0-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2020-1-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2020-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2020-9-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2020-16-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2020-15-0x0000000001DD0000-0x0000000001DDE000-memory.dmp

Filesize
56KB

Download