b04b39d2d999170110d39edec01af423f5bf53f8b6271a33f9cf33e988e2f4ec

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe
Size

69KB
MD5

c8a5490c242d8341ad533ba2d3c2eac8
SHA1

4a8ecdd42843cc4984f25feb3ab9f3b7739e3694
SHA256

b04b39d2d999170110d39edec01af423f5bf53f8b6271a33f9cf33e988e2f4ec
SHA512

a011a28ee9ee3d1bad6aa708adbd5a5450ae5b1489fe28199febc467aed14f390536281fbf79c58b1955c6f61ceaea1f118ff0eda073b41252a4986a853e3c78
SSDEEP

768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUNsYD/dx:i5nkFGMOtEvwDpjNbwQEI8UZD7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/2804-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000014fe1-11.dat	CryptoLocker_rule2
behavioral1/memory/2804-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2804-13-0x0000000002470000-0x000000000247F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2684-18-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2684-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/2804-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2804-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2684-28-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral1/memory/2804-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b000000014fe1-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2804-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2804-13-0x0000000002470000-0x000000000247F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2684-18-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2684-28-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2684	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2684	2804	2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe	28
PID 2804 wrote to memory of 2684	2804	2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe	28
PID 2804 wrote to memory of 2684	2804	2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe	28
PID 2804 wrote to memory of 2684	2804	2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_c8a5490c242d8341ad533ba2d3c2eac8_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
69KB

MD5
653ad6b0f9e03710b094ad2b6f6cce5c

SHA1
7d91986f3a87a981a18f442906ef50ec87e24a94

SHA256
5c88f1671d7bc3e2c35a05a6cb2e9fc04e4cc76e5842eec6ac0c999cf54c239b

SHA512
2f3d329de5667692b43331cbc20584df7972994ee33b6a69c0c63b62669e073e0960e70ceb0421d25f35e911ec5c013bd81df3b9d7ad2af3d70a1cb9778e0872

Download Submit
memory/2684-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2684-21-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2684-20-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2684-28-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2804-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2804-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2804-2-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2804-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2804-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2804-13-0x0000000002470000-0x000000000247F000-memory.dmp

Filesize
60KB

Download