80cd01adf7a6d1b701054f1a33bc4a0dd72ce9a54f676cf196b124caf8a2e35e

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe
Size

53KB
MD5

3d74f65c4a6521bc6ebfc3c915bb5fec
SHA1

5d416e4bee6c9d5dca97c33e6512608d7a3d62cf
SHA256

80cd01adf7a6d1b701054f1a33bc4a0dd72ce9a54f676cf196b124caf8a2e35e
SHA512

a3420fa9356b1d5ae5e080e9745cffa2ac1b767d35bcf543164e95459da5a17c861471d3c7d0a2f15d24116244851d40573424766508f98b73042baa4cb98b45
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vaTiSfQaV2LJ0tn:X6QFElP6n+gJBMOtEvwDpjBtE1yILJ0l

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126ab-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126ab-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1748	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1748	2188	2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe	28
PID 2188 wrote to memory of 1748	2188	2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe	28
PID 2188 wrote to memory of 1748	2188	2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe	28
PID 2188 wrote to memory of 1748	2188	2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_3d74f65c4a6521bc6ebfc3c915bb5fec_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
53KB

MD5
9bf4c118f152c2bec908c617381c9ade

SHA1
9c40c0839aa4621fc7a5e5415c9fa4ab93064d0f

SHA256
1ff531b8a331930dd07e6a3ff8880641f3106bc7c5bb5ac52c525cba9f85dda5

SHA512
878d7bd540c78425714222ada9efd1cecef25c868c73a1d08dedd3f546899b0d5ba6855c58b16251ed393255478f569213a46dcaef205876410e1910eb15498a

Download Submit
memory/1748-16-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1748-15-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2188-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2188-1-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2188-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download