cfd61ccef0f2339102ded1f11792ed37f459736299330ba51f70623380be6713

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe
Size

72KB
MD5

2eaa19f1f553a26538f62b873fc044b6
SHA1

5852d16ae7eb6f1cfdbcaf39806a1dd47d4c73c1
SHA256

cfd61ccef0f2339102ded1f11792ed37f459736299330ba51f70623380be6713
SHA512

4d7c2feef7d63a5b5f6b865ff4e778d7a4f5eb922c22dcbdc39e64ed8a97ff656efd8b0d4f124f63dadd826f6f742b97b4444823ddcb8bbca8dd9ab24a92fbb5
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1Me:X6a+SOtEvwDpjBZYvQd2j

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000900000001447e-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000900000001447e-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2296	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2296	1680	2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe	28
PID 1680 wrote to memory of 2296	1680	2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe	28
PID 1680 wrote to memory of 2296	1680	2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe	28
PID 1680 wrote to memory of 2296	1680	2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_2eaa19f1f553a26538f62b873fc044b6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
72KB

MD5
77f3a33dffd08f3b15825b78693c1817

SHA1
4dba4f5eb71c39e2a3e9e1efe1b722e54e7a4c8f

SHA256
8273f041a64e0da91f90a6dab5c283129fa2117d64a5620a2117e391a3f07cb7

SHA512
c86bf1e3c707b8392fad339f586f976c03eef908491e177d5d9be68e08ad444e5def123c33c5ded6127dc92c0929b4a417512923cbcaa20426f911c597b95042

Download Submit
memory/1680-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1680-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1680-4-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2296-15-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2296-20-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download