819e08efe10c2012f28cf892342e4a016dbaa895a398ce12efa00e5268a096d6

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 04:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe
Size

96KB
MD5

eb243b2c8cf0f4c8213eca248b6460b7
SHA1

60f9f7c8413a3ea9d97b483ad22a502e843badee
SHA256

819e08efe10c2012f28cf892342e4a016dbaa895a398ce12efa00e5268a096d6
SHA512

a1ca33952947c709d3bb0a64925e5355be9a7830a3d60a4ba6e23e5fbcebc7d54bef4da4e6a93da7581db0cf5d4981e906f62e8b4ae3acbee0b83b80cea07d25
SSDEEP

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWfbZ7uyA36S7MpxRiWNa9mktJYH:xj+VGMOtEvwDpjubwQEIiVmksH

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c00000001227f-24.dat	CryptoLocker_rule2
behavioral1/memory/2824-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2424-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2824-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000c00000001227f-24.dat	CryptoLocker_set1
behavioral1/memory/2824-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2424-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2824-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c00000001227f-24.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2824-17-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2424-15-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2824-26-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2824	misid.exe

Loads dropped DLL 1 IoCs

pid	Process
2424	2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2824	2424	2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe	28
PID 2424 wrote to memory of 2824	2424	2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe	28
PID 2424 wrote to memory of 2824	2424	2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe	28
PID 2424 wrote to memory of 2824	2424	2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_eb243b2c8cf0f4c8213eca248b6460b7_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
96KB

MD5
7ba00d5f43ad455589e341e81302e890

SHA1
1d95c096e4bdbd271ba849193326897b63a2db84

SHA256
bd8cedb9bdff0446414134fc342cf31c1ae869f35b1de12d6aa345d629d2b3c7

SHA512
84c9747a21530f9caf41db12695521a1a23a6df5a5e44e4dda8ad67d8c5e975a28c424dfa28c3dc23ee40f851f6f97430f3e312326cf183e14b5ac478a657c85

Download Submit
memory/2424-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2424-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2424-3-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2424-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2424-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2824-18-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2824-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2824-25-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2824-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download