10c81f973b007de345f418e4c3450a1ad79cbbe7346614aafb66e5120dc44888

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe
Size

48KB
MD5

d79ddb5166c86a0319bd037897600d36
SHA1

778e03cac7641f4a32b380e6de10bc0d37bf59f8
SHA256

10c81f973b007de345f418e4c3450a1ad79cbbe7346614aafb66e5120dc44888
SHA512

7b77119332bbf8d028c4b2c9f3527979793ec68aad5ba238105df94b9c543f01184ffde04d68354b0dfc84053898d7171cb6b432f5141f4c93d6ccd8b6e36871
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr42A7n0FmB0nY:vj+jsMQMOtEvwDpj5HczerLO04Br

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2392 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe

pid process

308 2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2392	misid.exe

pid	process
308	2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe

description	pid	process	target process
PID 308 wrote to memory of 2392	308	2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe	misid.exe
PID 308 wrote to memory of 2392	308	2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe	misid.exe
PID 308 wrote to memory of 2392	308	2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe	misid.exe
PID 308 wrote to memory of 2392	308	2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_d79ddb5166c86a0319bd037897600d36_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
48KB

MD5
860ef854eb6e5497c16b7b7112e845a2

SHA1
5d9d85f22745443c266f85735bc0727f0f2c7c72

SHA256
66b99e83f43c69c9ac7592ef756e49e2eb2a7d54dfaf647c6d749de4638c738c

SHA512
95707761bea1452c5f148d916118380cb98dfe10c74faba79658615e4ab616d9a153b2b39dcc72edb411fc165b40ae7480e42db292b6ce9347e9603aaa130cc1

Download Submit
memory/308-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/308-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/308-8-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download