90b6458c2b23923945cd241efd3bc1b40c57e4255db79909b7a09167947588ce

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe
Size

76KB
MD5

768459f836b75497f7997a30bde7be84
SHA1

531e698c6138b42eee5bfcfda169a5162cd0cd36
SHA256

90b6458c2b23923945cd241efd3bc1b40c57e4255db79909b7a09167947588ce
SHA512

ca779c39004a2550361a0aec3ce9fa4e0e72c016544b465cb0dda59fc646871bc75d80cc0ed034ef873c23e77e77a7c89cad2ee631731b5c1fd27bb179aff256
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalDSnUP:1nK6a+qdOOtEvwDpjk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-53-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x0009000000012023-64.dat	upx
behavioral1/memory/2680-68-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/memory/2484-70-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x0009000000012023-69.dat	upx
behavioral1/memory/2680-66-0x0000000002800000-0x0000000002810000-memory.dmp	upx
behavioral1/files/0x0009000000012023-79.dat	upx
behavioral1/memory/2484-80-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2484	2680	768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe	28
PID 2680 wrote to memory of 2484	2680	768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe	28
PID 2680 wrote to memory of 2484	2680	768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe	28
PID 2680 wrote to memory of 2484	2680	768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\768459f836b75497f7997a30bde7be84_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
76KB

MD5
0ba4d209f654272e3204454c7f2f5798

SHA1
fabb6d5e5a24b38268636d564f09f59f59d1f7e3

SHA256
417c84fbc94a035b88f76b6aaae0d72a1f937f7185080ed01809fd89ffc18b85

SHA512
d459e19cf955925d987095c176de559f3de5ae35d8b55d3c37b7abfe87d8bbe77a305d5aaae02d902b97f8cbd761f82b3b04c2143d71bbce809f9051dd19e1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
76KB

MD5
0ba4d209f654272e3204454c7f2f5798

SHA1
fabb6d5e5a24b38268636d564f09f59f59d1f7e3

SHA256
417c84fbc94a035b88f76b6aaae0d72a1f937f7185080ed01809fd89ffc18b85

SHA512
d459e19cf955925d987095c176de559f3de5ae35d8b55d3c37b7abfe87d8bbe77a305d5aaae02d902b97f8cbd761f82b3b04c2143d71bbce809f9051dd19e1bf

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
76KB

MD5
0ba4d209f654272e3204454c7f2f5798

SHA1
fabb6d5e5a24b38268636d564f09f59f59d1f7e3

SHA256
417c84fbc94a035b88f76b6aaae0d72a1f937f7185080ed01809fd89ffc18b85

SHA512
d459e19cf955925d987095c176de559f3de5ae35d8b55d3c37b7abfe87d8bbe77a305d5aaae02d902b97f8cbd761f82b3b04c2143d71bbce809f9051dd19e1bf

Download Submit
memory/2484-72-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2484-70-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2484-73-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2484-80-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2680-57-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2680-68-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2680-55-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2680-66-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/2680-53-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2680-54-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download