e45a06ac35200bf99bc0cebea9c976a0cc34c99ecb15ead429fb837a158aefab

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe
Size

44KB
MD5

e7692dc008a5b7c8c7e468da861f982b
SHA1

b18db0e1f03cf24f54dc3f1767ecbb77b97c7fc0
SHA256

e45a06ac35200bf99bc0cebea9c976a0cc34c99ecb15ead429fb837a158aefab
SHA512

dff5cdef940ba3779964104a6be11b2c2a8b360560f3aa17cf52dd29ad48cead4b9525337bf90c0e9727f7b00a4f03aa6fe2516259be95b1a19915ed79662f39
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4REL+cc66Tcue:vj+jsMQMOtEvwDpj5HW5scue

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2520 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe

pid process

2220 2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2520	misid.exe

pid	process
2220	2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe

description	pid	process	target process
PID 2220 wrote to memory of 2520	2220	2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe	misid.exe
PID 2220 wrote to memory of 2520	2220	2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe	misid.exe
PID 2220 wrote to memory of 2520	2220	2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe	misid.exe
PID 2220 wrote to memory of 2520	2220	2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_e7692dc008a5b7c8c7e468da861f982b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
44KB

MD5
02dc2d94f4dfe14e13dca19bdc1175b3

SHA1
8d6572c38a0a90ff20414dbfa49931cf2ade298f

SHA256
6fe3913460324a17503998ae40d8d2688ea8334af63aaff5aff5d16fee40b918

SHA512
5fa2c6d55753b53db5202e7ec45cbd033cfd7f6e3f7be24588528027c9d0b28119c072999493542cd6429ce44dba4962acfd8e50f0acca0dc4694861f04bdc90

Download Submit
memory/2220-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2220-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2220-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2520-15-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2520-22-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download