40b2f62692239b7c81aadbb98f7ebe40c8e077d98fdaabd40a11eeeb562fe6e7

General

Target

33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe
Size

54KB
MD5

33afd1b7b9cfc7ae8a5ab0987fbb9c46
SHA1

73d1e17f436648dffba1cdd4bda3925cdb7b2452
SHA256

40b2f62692239b7c81aadbb98f7ebe40c8e077d98fdaabd40a11eeeb562fe6e7
SHA512

f797258c46a9bc980d0c39047155d93ff78b9441342670f5bd06a0fcc6f32e150fff6e8fbf96deb5634e078ce7b9b8e0d1d21f3afc3f81b224af8b2cdd93c45a
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccCKdulcrm:V6a+pOtEvwDpjv9a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5020	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	536	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 5020	1736	33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe	86
PID 1736 wrote to memory of 5020	1736	33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe	86
PID 1736 wrote to memory of 5020	1736	33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\33afd1b7b9cfc7ae8a5ab0987fbb9c46_cryptolocker_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:5020

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
95642003ab4c7cf1d080e2e389ffce66

SHA1
b340c6c5ce2b03adc3b41809c38535e740faa002

SHA256
a3bcd5acb479859f1889b61609fd4c0b34019e956a7414a32e6615a9fd6f9f6e

SHA512
f7f2862ab19616c391022f53623fd343c8bd27dcd1aa3d79d4c159fbe6017bf41ca9470136c062550a2d81c568256a98006bbf4f2af81e725a21ac0b12df93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
54KB

MD5
e39e2839244e73a4e0851a2dfe2f94be

SHA1
ab66111e1a13fa6be520d4517b0fb58685153e90

SHA256
43478eb0e0d1ec72acea8bc74583f06c8325aeab8664f3d1d8c2bea26dfe22fd

SHA512
28f55c5c71bad9dbb369d20bcbe8848d8ac874bafd9f48ccc5d44bdb8432974a61a560c03f448088013381acfd8e02dbb8600111cb775a3308ef9d8cb3dd1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
54KB

MD5
e39e2839244e73a4e0851a2dfe2f94be

SHA1
ab66111e1a13fa6be520d4517b0fb58685153e90

SHA256
43478eb0e0d1ec72acea8bc74583f06c8325aeab8664f3d1d8c2bea26dfe22fd

SHA512
28f55c5c71bad9dbb369d20bcbe8848d8ac874bafd9f48ccc5d44bdb8432974a61a560c03f448088013381acfd8e02dbb8600111cb775a3308ef9d8cb3dd1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
54KB

MD5
e39e2839244e73a4e0851a2dfe2f94be

SHA1
ab66111e1a13fa6be520d4517b0fb58685153e90

SHA256
43478eb0e0d1ec72acea8bc74583f06c8325aeab8664f3d1d8c2bea26dfe22fd

SHA512
28f55c5c71bad9dbb369d20bcbe8848d8ac874bafd9f48ccc5d44bdb8432974a61a560c03f448088013381acfd8e02dbb8600111cb775a3308ef9d8cb3dd1584

Download Submit
memory/536-200-0x000001D19C6B0000-0x000001D19C6B1000-memory.dmp

Filesize
4KB

Download
memory/536-194-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-221-0x000001D19C7E0000-0x000001D19C7E1000-memory.dmp

Filesize
4KB

Download
memory/536-209-0x000001D19C5E0000-0x000001D19C5E1000-memory.dmp

Filesize
4KB

Download
memory/536-157-0x000001D194370000-0x000001D194380000-memory.dmp

Filesize
64KB

Download
memory/536-173-0x000001D194470000-0x000001D194480000-memory.dmp

Filesize
64KB

Download
memory/536-189-0x000001D19CA60000-0x000001D19CA61000-memory.dmp

Filesize
4KB

Download
memory/536-190-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-191-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-192-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-193-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-206-0x000001D19C6A0000-0x000001D19C6A1000-memory.dmp

Filesize
4KB

Download
memory/536-195-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-196-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-197-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-198-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-199-0x000001D19CA80000-0x000001D19CA81000-memory.dmp

Filesize
4KB

Download
memory/536-203-0x000001D19C6B0000-0x000001D19C6B1000-memory.dmp

Filesize
4KB

Download
memory/536-201-0x000001D19C6A0000-0x000001D19C6A1000-memory.dmp

Filesize
4KB

Download
memory/1736-133-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/1736-135-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/1736-134-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/5020-150-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/5020-151-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing