9829307f77d68c84080869f6e8f989ca7d42591df8ce31e3d60f9105365b8698

Analysis

max time kernel
148s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe
Size

118KB
MD5

a7d6cbd797c6bd2f4970d56cca4cc167
SHA1

147b8a116d91e65f43a4b92d0e67aed3d4d3b783
SHA256

9829307f77d68c84080869f6e8f989ca7d42591df8ce31e3d60f9105365b8698
SHA512

2e649394cc91a1647bc30b37e1aa8f06d39d277461f3608b0372b926f8069ed030c48b9214d737e8a6b051584ecc3182051d3e909404e3e08a4f6e598e123289
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNgp69p:z6a+CdOOtEvwDpjcz/

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

1928 asih.exe

pid	process
1928	asih.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	upx
behavioral1/memory/908-65-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\asih.exe	upx
C:\Users\Admin\AppData\Local\Temp\asih.exe	upx
behavioral1/memory/1928-77-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe

pid process

908 2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
908	2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe

description	pid	process	target process
PID 908 wrote to memory of 1928	908	2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe	asih.exe
PID 908 wrote to memory of 1928	908	2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe	asih.exe
PID 908 wrote to memory of 1928	908	2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe	asih.exe
PID 908 wrote to memory of 1928	908	2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
118KB

MD5
c88cbb0b8ff3aa3c6c7ed553ffbf5111

SHA1
6d02cff4a1cbfed14ae8cb605c5411126d5478fc

SHA256
8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

SHA512
f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
118KB

MD5
c88cbb0b8ff3aa3c6c7ed553ffbf5111

SHA1
6d02cff4a1cbfed14ae8cb605c5411126d5478fc

SHA256
8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

SHA512
f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
118KB

MD5
c88cbb0b8ff3aa3c6c7ed553ffbf5111

SHA1
6d02cff4a1cbfed14ae8cb605c5411126d5478fc

SHA256
8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

SHA512
f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

Download Submit
memory/908-54-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/908-55-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/908-66-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/908-65-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1928-63-0x0000000000000000-mapping.dmp

Download
memory/1928-69-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1928-76-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1928-77-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download