11b33a645ef0faf44c6826fc2e8e9bc7f7ff87d855b1e7145183143d6ee0c1ed

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe
Size

48KB
MD5

77c74b4529d5cfa1ec186e83f411be2d
SHA1

bc1f95dd7f7488dcc20bbe880445cfee5982367b
SHA256

11b33a645ef0faf44c6826fc2e8e9bc7f7ff87d855b1e7145183143d6ee0c1ed
SHA512

5c3b3bd9eedf0b0209576cb34df7f77659c3f542b095e156634f53789a04ae5b054b38458c1235be6181de4664f982a21a131aba4bce8bd59d87b6d347455ae0
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjeJQ7pojakNfB:V6a+pOtEvwDpjS

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1836	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1836	2268	2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe	28
PID 2268 wrote to memory of 1836	2268	2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe	28
PID 2268 wrote to memory of 1836	2268	2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe	28
PID 2268 wrote to memory of 1836	2268	2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_77c74b4529d5cfa1ec186e83f411be2d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
48KB

MD5
bb4525be30eb9127b8db257096740194

SHA1
ca5bbdf307897ade3c407a296593a642a322dc21

SHA256
a57b2f468d90cef934de983b56023f592769aec73d44b361ba8a94893527174d

SHA512
47bbbea718f98824c6de525deb6e63d5446e37539e96000692ba778ba5f32b7848d2069693f7190a22f01d3b60bf733bf4f91ce620a689eef7ae718347ec6a68

Download Submit
memory/2268-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2268-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2268-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download