ba5c09b3d777cab0598e20973dcb16e6a4770dae676341e1a4db7bb11e0b169b

Analysis

max time kernel
1s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe
Size

103KB
MD5

3249471498cc7bdef4d9a91f33e3ac41
SHA1

82a834f4fc8fcb3beb3f304da0d3ac016d541868
SHA256

ba5c09b3d777cab0598e20973dcb16e6a4770dae676341e1a4db7bb11e0b169b
SHA512

d4983648e2a8b7150026966940f9f5e74691300856df97d174acbd345b83978fce1cd19f8323bbf4c6c00d090ec5caf220041ee8d9f26b5830217a5b9c5cd8c2
SSDEEP

1536:P8mnK6QFElP6n+gymddpMOtEvwDpjIHsalRn5iF1j6GksK:1nK6a+qdOOtEvwDpjK

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
756	2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-0-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/memory/756-15-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x000a00000001225e-25.dat	upx
behavioral1/memory/2744-17-0x0000000000500000-0x000000000050F311-memory.dmp	upx
behavioral1/files/0x000a00000001225e-14.dat	upx
behavioral1/files/0x000a00000001225e-11.dat	upx
behavioral1/memory/2744-27-0x0000000000500000-0x000000000050F311-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2744	756	2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe	16
PID 756 wrote to memory of 2744	756	2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe	16
PID 756 wrote to memory of 2744	756	2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe	16
PID 756 wrote to memory of 2744	756	2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-03_3249471498cc7bdef4d9a91f33e3ac41_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
1KB

MD5
3ea51bf367cd953686176c82bddf7aa7

SHA1
48955bb830643b73b4af3a74095be6d995c5cab0

SHA256
c42d883dd057b2710f7e49bb41fbdb806b95fe4ce19317d9840ff62ae5a9191a

SHA512
229b2c16b9cb07563fe404f5cb3debc7d287c005594d7d0d7962f2e338ab2a0c3f8ae0ab4079a29c7520ba5be485641b9484ac143344cbb170d8c1129286853d

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
11KB

MD5
52b105b630973e84f63697c5158f62a7

SHA1
a892ec8d359734bf907a60f3c4c8a6396a2672b6

SHA256
4fc405b54a8ee4986775c6f73bbe7e2540aa6d66f109dd2cd654beb40e256c5f

SHA512
fbfa07500fc614465b68cd9bffaa6511cab7291ae1b0bc746933f43907aab59f19c8dd90223ae7e4319989e6afb2b98e7b0c6e678ff9e6adab4073decdf529f5

Download Submit
memory/756-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/756-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/756-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/756-0-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/756-15-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/756-16-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/756-26-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2744-17-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download
memory/2744-27-0x0000000000500000-0x000000000050F311-memory.dmp

Filesize
60KB

Download