b6e00bd2607dc5f70c5c1a5f8887dbd00e12bd1ba2c6951dcf4f174c3d3248d4

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe
Size

55KB
MD5

ae8f7f05d74442d58624577dfed88fa2
SHA1

3c2d3f9414b2c133661367f7d061654414a2e73e
SHA256

b6e00bd2607dc5f70c5c1a5f8887dbd00e12bd1ba2c6951dcf4f174c3d3248d4
SHA512

d02f21d51632641930275cbea1587375dba050f2e6f1fe787682f9e76d254741682c3b7f4720ccc0318238474c16f5112a820ab9990537387534d1d48ebde4ce
SSDEEP

1536:qmbhXDmjr5MOtEvwDpj5cDtKkQZQRKb61o:BbdDmjr+OtEvwDpjMa

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000013a1a-11.dat	CryptoLocker_rule2
behavioral1/memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000a000000013a1a-11.dat	UPX
behavioral1/memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp	UPX
behavioral1/memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
3008	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28
PID 2752 wrote to memory of 3008	2752	2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-22_ae8f7f05d74442d58624577dfed88fa2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
56KB

MD5
091bb4f3e837515c52fbe869eb5feb8e

SHA1
1148a05816da70310f708f7a006791e0d61ed0f5

SHA256
07cddc56f2b5bf1c0a96fd50aa777cef139938c2529900d2d3a6cf82272b2f93

SHA512
3bd632b113fa63b67ebd62b49fee97d201d3146bf35b5bd486adf97b534d3e6719b2dbede16c76c2cb0019017b5674c328dc5de5a3b2db1813cb1c0b8e83a052

Download Submit
memory/2752-0-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2752-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2752-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2752-8-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2752-13-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2752-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3008-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3008-19-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/3008-23-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/3008-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download