36190a637f6921a651809a930dfc0c83d3a4d035921058081c81aca13f2b1b66

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe
Size

38KB
MD5

123e75d4a6ab174b5469ad59e1242b1f
SHA1

29e94f6acedc94d09282d75502db530c259f46d8
SHA256

36190a637f6921a651809a930dfc0c83d3a4d035921058081c81aca13f2b1b66
SHA512

893684b0a533edcc12c4225eaa7e24981e02cf49e9f923b77771b3a03c53d70dfc92a3aec655b1ffbfc18730ff6ceb1a0483311a18e6e658c1fb04a42f4543f6
SSDEEP

768:fTz7y3lhsT+hs1SQtOOtEvwDpjfAu9+4q1:fT+hsMQMOtEvwDpjoIH+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000144e0-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000144e0-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2052	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2084	2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2052	2084	2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe	28
PID 2084 wrote to memory of 2052	2084	2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe	28
PID 2084 wrote to memory of 2052	2084	2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe	28
PID 2084 wrote to memory of 2052	2084	2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_123e75d4a6ab174b5469ad59e1242b1f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
38KB

MD5
995e927f8fb9ec000354d9c11094da3f

SHA1
bc9d05a5ac5cdf44fcdacfe02be56d2df6769a3a

SHA256
47ae58d6845499154bd9f74b0bc129d1d3a608657f6c17fd8c134b882efade56

SHA512
ec30237fbc3a5fac334048d9e24c86df124d483eccef9034bae7cac8bdf7cc5915d8bd5909d84f3beaa1062f591ebda68580c0b777b1273011c21be317067525

Download Submit
memory/2052-22-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2052-15-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2084-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2084-1-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2084-7-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download