7ab756af507529c6849d6421437ed2c35b30d36b8c360ffc478cb2236d272c0c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 08:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe
Size

44KB
MD5

dde7dae7bf9fafbbf7b496d38c1df9d2
SHA1

ac4ec5140ceecbc367ad6f8c891320a94d12a40d
SHA256

7ab756af507529c6849d6421437ed2c35b30d36b8c360ffc478cb2236d272c0c
SHA512

86407f32c36122e6c726b2925df7ea31064d4c01787b5eca3b96d8f09f570657a0ec270bb5dff6327c17f615deea69ae8d37269ca64d6b5c2f54ea7d9193a880
SSDEEP

768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqh6/aDf:6j+1NMOtEvwDpjrRM

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d00000001231a-11.dat	CryptoLocker_rule2
behavioral1/memory/2276-13-0x00000000004F0000-0x00000000004FF000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2276-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2072-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000d00000001231a-11.dat	CryptoLocker_set1
behavioral1/memory/2276-13-0x00000000004F0000-0x00000000004FF000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2276-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2072-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000d00000001231a-11.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2276-13-0x00000000004F0000-0x00000000004FF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2276-16-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2072-25-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2072	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2072	2276	2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe	28
PID 2276 wrote to memory of 2072	2276	2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe	28
PID 2276 wrote to memory of 2072	2276	2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe	28
PID 2276 wrote to memory of 2072	2276	2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_dde7dae7bf9fafbbf7b496d38c1df9d2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
45KB

MD5
086d608724b91ab7ffb1f2b81fbaf148

SHA1
a7a4c48cb4c082df0e2e0e99f8bcb60bf4d2bd5c

SHA256
eef8d7a4c0245ce0b4355709bde69325c6fe24774cb093a81d235fe012f7327b

SHA512
6cfb6dfc711c44165658cdf8842c6cd0091559a94d068bdaf84204adbb1585107c75e18e7eac7c9e5c26be7ed229bd39cfc7f4386a3f339c03df369114121db1

Download Submit
memory/2072-18-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2072-25-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2276-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2276-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2276-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2276-3-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2276-13-0x00000000004F0000-0x00000000004FF000-memory.dmp

Filesize
60KB

Download
memory/2276-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download