2fa2257a2ad5c39a68119d111017cf9972ffca7f38823b67190aca9f374180d4

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe
Size

73KB
MD5

2d5b29953c879f9c280b8a4270f36eef
SHA1

3deb5e94500d1a4d9a688d5d92aa2f54edb57504
SHA256

2fa2257a2ad5c39a68119d111017cf9972ffca7f38823b67190aca9f374180d4
SHA512

cd989c72a2fb08981a4b1b74de965f3913e5292b2370fcd3e8d8cd52289a9b805c925dec621ef8f3c4babb27286ce944b458ca82560131582481f63d6d346820
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalDSJq:1nK6a+qdOOtEvwDpjO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1824	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-133-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/files/0x00070000000231e9-146.dat	upx
behavioral2/files/0x00070000000231e9-148.dat	upx
behavioral2/files/0x00070000000231e9-149.dat	upx
behavioral2/memory/5068-151-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral2/memory/1824-159-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1824	5068	2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe	86
PID 5068 wrote to memory of 1824	5068	2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe	86
PID 5068 wrote to memory of 1824	5068	2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2d5b29953c879f9c280b8a4270f36eef_cryptolocker_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
73KB

MD5
989f0f2fc776534cc227ce79b5ff844a

SHA1
4f2660bb5d09d75c7fbb1760cf4aac37533c2fc4

SHA256
58575f67a7b0a8763f8c5ba55f29f53477da8569b47ef0d9bcfebe561a7ade59

SHA512
38618673d2dd250dcd9abd4d1cd753b3f467d8038793a833511ca2e244162064b8ede8739c7254e95ce6ce3128a7338564031614182b659281e04442ebf9d391

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
73KB

MD5
989f0f2fc776534cc227ce79b5ff844a

SHA1
4f2660bb5d09d75c7fbb1760cf4aac37533c2fc4

SHA256
58575f67a7b0a8763f8c5ba55f29f53477da8569b47ef0d9bcfebe561a7ade59

SHA512
38618673d2dd250dcd9abd4d1cd753b3f467d8038793a833511ca2e244162064b8ede8739c7254e95ce6ce3128a7338564031614182b659281e04442ebf9d391

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
73KB

MD5
989f0f2fc776534cc227ce79b5ff844a

SHA1
4f2660bb5d09d75c7fbb1760cf4aac37533c2fc4

SHA256
58575f67a7b0a8763f8c5ba55f29f53477da8569b47ef0d9bcfebe561a7ade59

SHA512
38618673d2dd250dcd9abd4d1cd753b3f467d8038793a833511ca2e244162064b8ede8739c7254e95ce6ce3128a7338564031614182b659281e04442ebf9d391

Download Submit
memory/1824-153-0x0000000001F70000-0x0000000001F76000-memory.dmp

Filesize
24KB

Download
memory/1824-152-0x0000000001F50000-0x0000000001F56000-memory.dmp

Filesize
24KB

Download
memory/1824-159-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/5068-133-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/5068-134-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/5068-135-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/5068-136-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/5068-151-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download