7e6edc58550424e224bd778320fda3e152e8930194e042571e9520bd4dd7a481

Analysis

max time kernel
134s
max time network
146s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe
Size

138KB
MD5

45a868ee5b91fb3c216cc6c02cd89f7d
SHA1

9881c0be6611117eedb7d91337b93e41ac46701f
SHA256

7e6edc58550424e224bd778320fda3e152e8930194e042571e9520bd4dd7a481
SHA512

d18fbb4a1e9ed42548daa46d68e6ad242d691f0bd06a5fce1bdd317c53baecbffe10de4e97abbd5b81e88437869c1246337de4c4c94dd69852f33f1a771f991c
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNgp699GNtL1E:z6a+CdOOtEvwDpjczb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1220-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x00070000000120ed-65.dat	upx
behavioral1/memory/1220-70-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2408-69-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x00070000000120ed-68.dat	upx
behavioral1/files/0x00070000000120ed-78.dat	upx
behavioral1/memory/2408-79-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2408	1220	45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe	28
PID 1220 wrote to memory of 2408	1220	45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe	28
PID 1220 wrote to memory of 2408	1220	45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe	28
PID 1220 wrote to memory of 2408	1220	45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\45a868ee5b91fb3c216cc6c02cd89f7d_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
138KB

MD5
25335896e9539a4fe16c770ea4a19242

SHA1
647c9a2d9f0f30e9d68a30c6e06a5108f9484456

SHA256
5350b57dbcb65a1a772805bb90abdb8b3054f8a47cbeda5fad63b7a710baed29

SHA512
f30f425e00ba8673ca1179125bf2f2bad7c327cbfaa81c5d574e59eb117b49bf119aee95a9204466675f1457191f3224b7c398a557189fd97de47e570a54e403

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
138KB

MD5
25335896e9539a4fe16c770ea4a19242

SHA1
647c9a2d9f0f30e9d68a30c6e06a5108f9484456

SHA256
5350b57dbcb65a1a772805bb90abdb8b3054f8a47cbeda5fad63b7a710baed29

SHA512
f30f425e00ba8673ca1179125bf2f2bad7c327cbfaa81c5d574e59eb117b49bf119aee95a9204466675f1457191f3224b7c398a557189fd97de47e570a54e403

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
138KB

MD5
25335896e9539a4fe16c770ea4a19242

SHA1
647c9a2d9f0f30e9d68a30c6e06a5108f9484456

SHA256
5350b57dbcb65a1a772805bb90abdb8b3054f8a47cbeda5fad63b7a710baed29

SHA512
f30f425e00ba8673ca1179125bf2f2bad7c327cbfaa81c5d574e59eb117b49bf119aee95a9204466675f1457191f3224b7c398a557189fd97de47e570a54e403

Download Submit
memory/1220-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1220-55-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1220-56-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1220-58-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1220-70-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-69-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-72-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2408-79-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download