aee9e5782539a5240895b6dd201ea00847d576fea0bca7adf2659ecd078cd88b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe
Size

69KB
MD5

1db7ed1064af0099eb2b72000532d254
SHA1

404f7d89ad5860349f9db735ac71ceec0c88f0b1
SHA256

aee9e5782539a5240895b6dd201ea00847d576fea0bca7adf2659ecd078cd88b
SHA512

202a1a5fde9c8ab2ff3ad82db1fcebc705e1d2cd179e5005a603b7f6feda36f6be97bb1dc9b9b2ad06bee7c4f0bc4d6eb4fb573088f4344c718c58f19750ec68
SSDEEP

768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUNsYD/dE:i5nkFGMOtEvwDpjNbwQEI8UZDK

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral1/memory/2740-13-0x0000000002840000-0x000000000284F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2740-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2884-19-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2884-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2884-19-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2884-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Local\Temp\misid.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2740-13-0x0000000002840000-0x000000000284F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2740-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2884-19-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2884-28-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2884 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe

pid process

2740 2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2884	misid.exe

pid	process
2740	2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe

description	pid	process	target process
PID 2740 wrote to memory of 2884	2740	2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe	misid.exe
PID 2740 wrote to memory of 2884	2740	2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe	misid.exe
PID 2740 wrote to memory of 2884	2740	2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe	misid.exe
PID 2740 wrote to memory of 2884	2740	2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1db7ed1064af0099eb2b72000532d254_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
69KB

MD5
24c73b952dd48342e3bfcab6195efdff

SHA1
f1540ec6581517dffb3c533e5f5ca2f895c4ed31

SHA256
91a59e041d51146b2df5c9202ef1ce3b90dc9f1519c90d12c5175d74de426878

SHA512
b8bc04c39164673474c6bbe601db5c6a4a2274d9da6cfed723dc88160110f410245e44b3f4adaab92bda23f7300cc9c2bd8d34254d2b5969184267ad6cf2a96e

Download Submit
memory/2740-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2740-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2740-2-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2740-9-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2740-13-0x0000000002840000-0x000000000284F000-memory.dmp

Filesize
60KB

Download
memory/2740-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2884-19-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2884-20-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2884-27-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2884-28-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download