0ccf6f5928347003efecbe93eda24bef276438693f2984c5cfe184fec657b0bc

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe
Size

69KB
MD5

c847729d3942c87bd557a14b43e3c92e
SHA1

2a5c7e8ddcbaedd18872db9324ad6b82160336fe
SHA256

0ccf6f5928347003efecbe93eda24bef276438693f2984c5cfe184fec657b0bc
SHA512

ee70f6a646a2a1b52d3665c4ecd987ac6cc46983b6aad010a4f1dc237a9915a1e85f5a045edecee6e3a130730798d760dcbd6780e2e7ebbf13a32a2269feec3f
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEpE0P/xFzE:6j+1NMOtEvwDpjr8ox8UDEpN/jw

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d0000000122d1-15.dat	CryptoLocker_rule2
behavioral1/memory/2696-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2252-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000d0000000122d1-15.dat	CryptoLocker_set1
behavioral1/memory/2696-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2252-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000d0000000122d1-15.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2696-16-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2252-26-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2252	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2252	2696	2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe	28
PID 2696 wrote to memory of 2252	2696	2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe	28
PID 2696 wrote to memory of 2252	2696	2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe	28
PID 2696 wrote to memory of 2252	2696	2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_c847729d3942c87bd557a14b43e3c92e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
69KB

MD5
e4d590c91cac26c8c13885782996810b

SHA1
96a4241edece116f49d9bda06655fb35a6ae50dd

SHA256
bd9d51a5e9e09a56e31592af4479d466a71917e60431543bb42727b1e5ac8168

SHA512
91e72fedb38aca9bf7f73e41157edd9c7f251cecf185690c998f2ef761543c5ae4d7b3a3118f139227e93a7f9dfd82256a48f1a15d2e2c4575df29d896defba3

Download Submit
memory/2252-18-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2252-19-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2252-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2696-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2696-1-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2696-2-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2696-3-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2696-13-0x00000000004E0000-0x00000000004EF000-memory.dmp

Filesize
60KB

Download
memory/2696-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download