3c8881f7ac3aac980ed85faf142a0ea52499cc04e30ec4d4d8d85b4b353c35c0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe
Size

39KB
MD5

a7356e3bcb6a10185eb3f1aa3d0d5364
SHA1

4d183a49c4034a633deb760f54125d510346d97b
SHA256

3c8881f7ac3aac980ed85faf142a0ea52499cc04e30ec4d4d8d85b4b353c35c0
SHA512

f9f25bcd5250399e9082b0396811dd3f2264afd15c8009a81e1b8f28409fd82e32f5c9b16607b6cd217a97dea7f86ab74aae0b1dd1aad00e123d86e8c8485245
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjLenUX:ZzFbxmLPWQMOtEvwDpjLe6

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001227e-11.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2928	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2928	2904	2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe	28
PID 2904 wrote to memory of 2928	2904	2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe	28
PID 2904 wrote to memory of 2928	2904	2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe	28
PID 2904 wrote to memory of 2928	2904	2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a7356e3bcb6a10185eb3f1aa3d0d5364_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
39KB

MD5
758338dac5a86a7b4d6861ac864f9c6a

SHA1
da55548a0e898d7c295925e6057093f1f63cb768

SHA256
2bfd7aba79c53d1ecdb7645733c954a9292b999abc6a0b5d14c77f05490ef9e7

SHA512
f605a7ecdac1810355990f63105ec12a2c17d8f059cbbac33f9a3e9c6c0580bb519aeaf52028f24ff806a8a67faefb229f546057e5a70798cce2b547b4293a96

Download Submit
memory/2904-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2904-1-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2904-2-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2904-9-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2928-16-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2928-24-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2928-23-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2928-25-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download