7591f0330bac460bb7e5aaefb5f396cd8f95875151b6464003100fd638bbd963

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe
Size

49KB
MD5

bec7deb04a74832098faa8e0a1e5dc0a
SHA1

f9a326dad816d7fc322e45301e44c27b71aa4104
SHA256

7591f0330bac460bb7e5aaefb5f396cd8f95875151b6464003100fd638bbd963
SHA512

1f15f89e8555c975c3fc009c41db93c43aca04163cf1f6ffc8ca84b4cde62c7cdf13de1706b90a63b8919d6bad15298597320e71fda627934bbc877ad5ec8ba7
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr42A7n0FmB0nI:vj+jsMQMOtEvwDpj5HczerLO04Bz

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014323-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014323-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2584	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2584	1736	2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe	28
PID 1736 wrote to memory of 2584	1736	2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe	28
PID 1736 wrote to memory of 2584	1736	2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe	28
PID 1736 wrote to memory of 2584	1736	2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_bec7deb04a74832098faa8e0a1e5dc0a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
49KB

MD5
f5c74667dcc8874fba09f1460f230dea

SHA1
d5d3d09231ecb5d559c2dd4ca9178b86b9962756

SHA256
d6abf5aefa8671512e829ecdd0fc8eff181ba669290a4ff0c8a3694038e25c4d

SHA512
2152c66d3fc2573c905e11f64a53261f006f6c556a1ca9c26468d81c86feb7c8a4950468e062e91a0abfeb57391f9e9bd6a77796a5e86d1c527670dd6832f24a

Download Submit
memory/1736-0-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1736-1-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1736-2-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2584-15-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download