aba6a23e458080999d9ec4bd4e5acf4051666283ec6b96137aa53cd75e627aaa

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe
Size

97KB
MD5

7c095b31ff266b4ffed23e4f704ecf84
SHA1

cdab462544a8992b9f938b8bad8cb24bdf02b2db
SHA256

aba6a23e458080999d9ec4bd4e5acf4051666283ec6b96137aa53cd75e627aaa
SHA512

808c6efaec6ea1f7dfe984c0c960366db9011cb2dc7954c7bf6dcf678b699979851f6967bde3a06ef7077047a13741ebd76e4ff51e87626ece19cabeabfdf9d2
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgpQbCJjM1:AnBdOOtEvwDpj6zd

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1120	7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1120-54-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x00080000000120e6-65.dat	upx
behavioral1/files/0x00080000000120e6-68.dat	upx
behavioral1/memory/1120-69-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2476-70-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x00080000000120e6-79.dat	upx
behavioral1/memory/2476-80-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2476	1120	7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe	28
PID 1120 wrote to memory of 2476	1120	7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe	28
PID 1120 wrote to memory of 2476	1120	7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe	28
PID 1120 wrote to memory of 2476	1120	7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7c095b31ff266b4ffed23e4f704ecf84_cryptolocker_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
97KB

MD5
fbcdb66c955c1db7e29a7e474928a161

SHA1
9685cc34983e1f0ce5fb5630a41cb27d3039486a

SHA256
afb3b6103959d891bfca7c00b0a78f5c0afc346dc26f3f2e6066275fe283ee48

SHA512
6e8f95f237825b76ef731648f4e474be0623524a3707289f318a254fb7b6a1a0abe14e6b01e8f907cabd14b5c15252c457808fc7379324feba3ec1fa85e1d1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
97KB

MD5
fbcdb66c955c1db7e29a7e474928a161

SHA1
9685cc34983e1f0ce5fb5630a41cb27d3039486a

SHA256
afb3b6103959d891bfca7c00b0a78f5c0afc346dc26f3f2e6066275fe283ee48

SHA512
6e8f95f237825b76ef731648f4e474be0623524a3707289f318a254fb7b6a1a0abe14e6b01e8f907cabd14b5c15252c457808fc7379324feba3ec1fa85e1d1de

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
97KB

MD5
fbcdb66c955c1db7e29a7e474928a161

SHA1
9685cc34983e1f0ce5fb5630a41cb27d3039486a

SHA256
afb3b6103959d891bfca7c00b0a78f5c0afc346dc26f3f2e6066275fe283ee48

SHA512
6e8f95f237825b76ef731648f4e474be0623524a3707289f318a254fb7b6a1a0abe14e6b01e8f907cabd14b5c15252c457808fc7379324feba3ec1fa85e1d1de

Download Submit
memory/1120-54-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1120-55-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1120-56-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1120-58-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1120-69-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2476-70-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2476-73-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2476-72-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2476-80-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download