a661c12cdda38384bafed713d1a76e9db76123eac9c3c745aa2148134942c41d

Analysis

max time kernel
0s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe
Size

91KB
MD5

1a1279a80c9f22d1f0a4d0fc8e86b6c3
SHA1

98993b458de66f8f8cb92d0d2be3cf2739957372
SHA256

a661c12cdda38384bafed713d1a76e9db76123eac9c3c745aa2148134942c41d
SHA512

82be3ffa610996c42e8bfe68384e673eed19687193b75099aa66d2bd316adf532c5d8641e5f98936497aa387c61acd0d6d99a7d538ac96deda905811e17fce7c
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp01K:AnBdOOtEvwDpj6zM

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-1-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/1528-25-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000c000000011fde-24.dat	upx
behavioral1/memory/2112-15-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000c000000011fde-14.dat	upx
behavioral1/files/0x000c000000011fde-11.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1528	2112	2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe	14
PID 2112 wrote to memory of 1528	2112	2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe	14
PID 2112 wrote to memory of 1528	2112	2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe	14
PID 2112 wrote to memory of 1528	2112	2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe	14

C:\Users\Admin\AppData\Local\Temp\2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_1a1279a80c9f22d1f0a4d0fc8e86b6c3_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
1KB

MD5
97a3f352fa15ffe31601bd0598642563

SHA1
6ec50c0cc7b0162de2f240d5a26476d47fdadd49

SHA256
66a0e618a7e8cda430bd50a002ee016a6357cb2153ac906453a87a42537b6e8e

SHA512
c32f233b6929d6186bf4bdeb882ec9f393c060b8ae81d479558a03cc402c91541d473e1178548dc7cb7c3355ad303e986640f18bb2599282e45528b29393823f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
5KB

MD5
3c0e25dcb8a5d4052322fad2bca96ab2

SHA1
01a78250096567cb1d4c78b1a65e8e23c058e4c0

SHA256
b81b617b2a3079cae18f44ef5d41fbf8fc3fff08be75867e5a3c190592f09e3d

SHA512
1a69b318e6148d39e3ad4da86c5e9f0cf9e4cdaa16731981a404e547882b59e891bfa7fc67f59cf8d77ae19c9b30863edd7155fc644c6f500e7f01083839720c

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
18KB

MD5
89f4b48b15b1c1562b49ebd727936560

SHA1
5ee2ce2df38037f1a10543459150c3d8d99fd927

SHA256
7af298fc4ef133778e0fdc57da14c60ac8885a09943ecce65a2db309a6e3f2be

SHA512
3f92da2cf9263def2f922b9ccf3755b946ff23fed378564c5377d5491493a41f0303feb62524fe23d244479af0c95eeee17bbab81f180c541677d85e31f0c968

Download Submit
memory/1528-17-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1528-23-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1528-25-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2112-1-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2112-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2112-2-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2112-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2112-9-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download