fcf4919cd7ee73e2c87eb59e7b31a627b3bbe9af2955e4b5936ca326248cb451

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe
Size

98KB
MD5

1550d2b5a86235a38895aec31bfd7779
SHA1

19edda18ee7b51f15528e5fc36b509e71e150ec3
SHA256

fcf4919cd7ee73e2c87eb59e7b31a627b3bbe9af2955e4b5936ca326248cb451
SHA512

8f9e873a47858343414f5b29dc6f45675cd91a66246d486b7b410857bc2460f5f39b9cdbe85589deea93d1caceae606d5348e8ec5d51304cc806f711e9983650
SSDEEP

1536:26QFElP6n+gBQMOtEvwDpjQGYQbN/PKwNCWw6fc:26a+2OtEvwDpjtz6

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012248-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012248-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2676	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2676	2760	2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe	28
PID 2760 wrote to memory of 2676	2760	2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe	28
PID 2760 wrote to memory of 2676	2760	2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe	28
PID 2760 wrote to memory of 2676	2760	2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_1550d2b5a86235a38895aec31bfd7779_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
98KB

MD5
a914a78f65a8f433d60b763b58d698aa

SHA1
624500124fa8142a49467f144dc725ff6cebe2f5

SHA256
77998440d2017ab2c545ce97e3abab45369a08f1992aac4594066009fc9262c7

SHA512
2e913be2283142132862d02082aa7af24d7bc1d13a561ddbd0ad839c7ee9f66258392ee75fd222922e8b869490ed75ae72991a12fd77abfb061e298e2f75905b

Download Submit
memory/2676-18-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2676-15-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2760-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2760-1-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2760-3-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download