Analysis

  • max time kernel
    148s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:39

General

  • Target

    2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe

  • Size

    118KB

  • MD5

    a7d6cbd797c6bd2f4970d56cca4cc167

  • SHA1

    147b8a116d91e65f43a4b92d0e67aed3d4d3b783

  • SHA256

    9829307f77d68c84080869f6e8f989ca7d42591df8ce31e3d60f9105365b8698

  • SHA512

    2e649394cc91a1647bc30b37e1aa8f06d39d277461f3608b0372b926f8069ed030c48b9214d737e8a6b051584ecc3182051d3e909404e3e08a4f6e598e123289

  • SSDEEP

    1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNgp69p:z6a+CdOOtEvwDpjcz/

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2022-11-23_a7d6cbd797c6bd2f4970d56cca4cc167_cryptolocker.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    118KB

    MD5

    c88cbb0b8ff3aa3c6c7ed553ffbf5111

    SHA1

    6d02cff4a1cbfed14ae8cb605c5411126d5478fc

    SHA256

    8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

    SHA512

    f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

  • C:\Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    118KB

    MD5

    c88cbb0b8ff3aa3c6c7ed553ffbf5111

    SHA1

    6d02cff4a1cbfed14ae8cb605c5411126d5478fc

    SHA256

    8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

    SHA512

    f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

  • \Users\Admin\AppData\Local\Temp\asih.exe

    Filesize

    118KB

    MD5

    c88cbb0b8ff3aa3c6c7ed553ffbf5111

    SHA1

    6d02cff4a1cbfed14ae8cb605c5411126d5478fc

    SHA256

    8bcf97650c271deced305eb1b977ef045f6c7ded00b06fd1fa6becf004468a45

    SHA512

    f1332036876e637cf1a2df68f84f5052dc1112e5d5473555d8516a3135c6fbe40da8854f2dea224bfddc4f724d8baef3fa8db3d0fd99263f86ad0b6c5200b267

  • memory/908-54-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

  • memory/908-55-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

  • memory/908-56-0x0000000000280000-0x0000000000286000-memory.dmp

    Filesize

    24KB

  • memory/908-66-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

  • memory/908-65-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1928-63-0x0000000000000000-mapping.dmp

  • memory/1928-69-0x0000000000300000-0x0000000000306000-memory.dmp

    Filesize

    24KB

  • memory/1928-76-0x00000000002D0000-0x00000000002D6000-memory.dmp

    Filesize

    24KB

  • memory/1928-77-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB