5650e24f0839bcaec2a5111064255276c042dc7cf77c7f468bfc53e6ba2e7cc3

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 03:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe
Size

36KB
MD5

6eccd3808d86324c3f73e8bdf76fc529
SHA1

949273c851ce09e994f049b88ecc0ba265fc53a0
SHA256

5650e24f0839bcaec2a5111064255276c042dc7cf77c7f468bfc53e6ba2e7cc3
SHA512

5bb98b469cdf53afa26164d6a6974b995ddc77f4ffe370a712c5751762a797b7359ad7836d278b798f10d3d5b27443dd0316e2237ddcb243b567cea4012484ad
SSDEEP

768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6WaJIOc+UPPEkLP:YGzl5wjRQBBOsP1QMOtEvwDpjgarrkLP

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000012262-11.dat	CryptoLocker_rule2
behavioral1/memory/1708-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1708-14-0x00000000006F0000-0x00000000006FB000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2388-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b000000012262-11.dat	CryptoLocker_set1
behavioral1/memory/1708-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2388-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2388	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2388	1708	2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe	28
PID 1708 wrote to memory of 2388	1708	2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe	28
PID 1708 wrote to memory of 2388	1708	2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe	28
PID 1708 wrote to memory of 2388	1708	2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_6eccd3808d86324c3f73e8bdf76fc529_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
36KB

MD5
4bcb7c56e59cae08d2e11e99e71afd51

SHA1
f25c7f2662ccd23c53f868b29645381676a48ff7

SHA256
c2561f352dcb8eb19bb5b4c8b389497a35074e8ac5ad61d25a40e06278494b5a

SHA512
186ac0250c46a8d61331999075930e9472ab3538897195bf73d751b278c5050b4622a733eea525d36d9518718c062eb988d55b6a3cb9f17f2f6a7b944735c705

Download Submit
memory/1708-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/1708-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1708-2-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1708-4-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1708-15-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/1708-14-0x00000000006F0000-0x00000000006FB000-memory.dmp

Filesize
44KB

Download
memory/2388-18-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2388-19-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2388-21-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download