c905312fe895829fa985d2fbbf0f9748f8993009aa113269ee03feb87d5bdf58

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe
Size

64KB
MD5

31b13ba9cf848e5513b3a7ab9facf0da
SHA1

772f2d46ada5e96450201c4ed6d12b0c30381ed3
SHA256

c905312fe895829fa985d2fbbf0f9748f8993009aa113269ee03feb87d5bdf58
SHA512

7cc97bbe64a91e53059039c25d243278c5a8f37d8d70b7be33a5b4c1af920c10c847e5afb32a7446bb9fd9cd8ab43f20a28c46e41a193a594eab2a1bdbe377e3
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTOOZt73R:T6a+rdOOtEvwDpjNF

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4212	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-133-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000231f5-146.dat	upx
behavioral2/files/0x00080000000231f5-148.dat	upx
behavioral2/files/0x00080000000231f5-149.dat	upx
behavioral2/memory/5040-151-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4212-159-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4212	5040	31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe	85
PID 5040 wrote to memory of 4212	5040	31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe	85
PID 5040 wrote to memory of 4212	5040	31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\31b13ba9cf848e5513b3a7ab9facf0da_cryptolocker_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
62081e15f27a8d7c89c792ff595c8e72

SHA1
44acdcdf0d27646b2ace37f116c2561d6f812223

SHA256
84833c98cfea10c78eb5ea0fb16bb3f2088d293c954517832ca0a8494cd6a304

SHA512
14b27acbf324f0ba34380ba3e39df7fefed8f7cba789410915763cadbe2df0033ae5fd7efe67cca1131f76b9e161a019fcde57aa82bd68e0a23b6db8b63f7b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
62081e15f27a8d7c89c792ff595c8e72

SHA1
44acdcdf0d27646b2ace37f116c2561d6f812223

SHA256
84833c98cfea10c78eb5ea0fb16bb3f2088d293c954517832ca0a8494cd6a304

SHA512
14b27acbf324f0ba34380ba3e39df7fefed8f7cba789410915763cadbe2df0033ae5fd7efe67cca1131f76b9e161a019fcde57aa82bd68e0a23b6db8b63f7b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
62081e15f27a8d7c89c792ff595c8e72

SHA1
44acdcdf0d27646b2ace37f116c2561d6f812223

SHA256
84833c98cfea10c78eb5ea0fb16bb3f2088d293c954517832ca0a8494cd6a304

SHA512
14b27acbf324f0ba34380ba3e39df7fefed8f7cba789410915763cadbe2df0033ae5fd7efe67cca1131f76b9e161a019fcde57aa82bd68e0a23b6db8b63f7b63

Download Submit
memory/4212-152-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/4212-153-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4212-159-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5040-133-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5040-134-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/5040-135-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/5040-136-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/5040-151-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download