37ed7b2afe5cc070f4227a51f5b2f13f2b2d75d149ea4e5e4e5dd6aa45e85acf

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:54

Target

2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe
Size

40KB
MD5

ef5afb4aab095b643f25cd4d9db6649f
SHA1

4f4be4d59f3d632d44e62ec47cbbef8e3be0f22c
SHA256

37ed7b2afe5cc070f4227a51f5b2f13f2b2d75d149ea4e5e4e5dd6aa45e85acf
SHA512

ca8e3c1727445395ae71b44cecd79b1b9c20a9eaa974f08326aa311793dabc8f124f8265c2974cb53c4d7d8aa2414ff396960e4fab4c372859131df2a7eaaa35
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLeJAsKuDkP:ZzFbxmLPWQMOtEvwDpjLeJAsKc0

Score

9^/10

Detection of CryptoLocker Variants 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral1/memory/940-24-0x0000000000230000-0x0000000000236000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

940 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe

pid process

2188 2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
940	misid.exe

pid	process
2188	2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe

description	pid	process	target process
PID 2188 wrote to memory of 940	2188	2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe	misid.exe
PID 2188 wrote to memory of 940	2188	2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe	misid.exe
PID 2188 wrote to memory of 940	2188	2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe	misid.exe
PID 2188 wrote to memory of 940	2188	2024-05-22_ef5afb4aab095b643f25cd4d9db6649f_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:940

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

\Users\Admin\AppData\Local\Temp\misid.exe
Filesize
41KB

MD5
fca5fdf1e09ad586e58ca2169e175941

SHA1
16883b8d9734a20634c5cb79e5b7a6ca095b4971

SHA256
8904d11a4cab741030c19ec910d2032bf0296f07b5d1e89f354df85edef7028b

SHA512
1be5ad99d0a900aeb5707c38bcdacf24f64a45e3bedc8d62dab3c2b876639a3facb92ed29db6b3cd84d8f025eb6727000076b08a17a368054da53cc2a468a021

Download Submit
memory/940-16-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/940-23-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/940-24-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2188-0-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2188-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2188-2-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2188-9-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download