106e3c901369202fac3960133614d14242b4b8dc53b7ee2dd89074527663c86d

Analysis

max time kernel
45s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe
Size

95KB
MD5

03772f5fc3a088621b6ab22f254765fa
SHA1

bbeaaacee5faa10691a3df3bb55868e06f741f88
SHA256

106e3c901369202fac3960133614d14242b4b8dc53b7ee2dd89074527663c86d
SHA512

5ac5b6dec6befe7d8c0012c7bfe8996a7f123a8c466d80478365cccbd917a90fc5ea7ddc290ab0c47204532e7e6913a289ca2b0bded0c926813c851134a91db5
SSDEEP

1536:zj+soPSMOtEvwDpj4ktBl01hJl8QAPM8Ho6cRDjgx/kAd0:zCsanOtEvwDpjBO

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2424 misid.exe
Loads dropped DLL 1 IoCs

Processes:

2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe

pid process

2324 2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe

pid	process
2424	misid.exe

pid	process
2324	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2324-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2324-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\misid.exe	upx
behavioral1/memory/2424-25-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exemisid.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	misid.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe

description	pid	process	target process
PID 2324 wrote to memory of 2424	2324	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe	misid.exe
PID 2324 wrote to memory of 2424	2324	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe	misid.exe
PID 2324 wrote to memory of 2424	2324	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe	misid.exe
PID 2324 wrote to memory of 2424	2324	2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-02_03772f5fc3a088621b6ab22f254765fa_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
95KB

MD5
1b916a11f9f6a7bd5dfd23adf12c86fd

SHA1
f6f902a8421d29a0e0981fe6e793c20bc46e89a6

SHA256
c9f2c0a4d54596fe75022d77a21d963636fb0883e8d36d7dedb604c822c38055

SHA512
b4b4570dc1204aa030e8041c8c2bbde1857b2e1ba214791fc0ef169be070b55117c85d3b54c8892d473eaab3c249eac4ef310548d311b9b1aaa430d21eaf1e7d

Download Submit
memory/2324-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2324-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2324-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2324-2-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2324-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2424-25-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2424-24-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2424-17-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download