c9d0e5240f1cfee99734b9b1775b329ca28e75d56fe92699f9662c65b33c379e

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe
Size

56KB
MD5

5a569d8a67aa4a61d44861abf45ea67c
SHA1

fa28503abea49fe192a27a46c4b85cf4f0ee6a84
SHA256

c9d0e5240f1cfee99734b9b1775b329ca28e75d56fe92699f9662c65b33c379e
SHA512

80cc00e42b0556a23951c1624b8c038a6b36ed8e34a57758df1e68f345d62edcdad51e0419031ca3b9184e3b154e91688305fdee191b1969b69fa688c93e5efc
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLa5VccPt547/4h:V6QFElP6n+gMQMOtEvwDpjyaLccVCb4h

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012274-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012274-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2096	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2096	3004	2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe	28
PID 3004 wrote to memory of 2096	3004	2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe	28
PID 3004 wrote to memory of 2096	3004	2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe	28
PID 3004 wrote to memory of 2096	3004	2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_5a569d8a67aa4a61d44861abf45ea67c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
f3cd3d000341603aa87ce018a9ec48a8

SHA1
b340b6322b8faf143eaac07f7aebff13fb9af635

SHA256
02bb4ed35d73762d5f2b315c00a0b3d73c1f8a818335d3f7067f5f8c4b3b9629

SHA512
83368d872e2a55b1c52f66bf5e5ea0050e76eb94b8cb4776e63670231bfe0317b429bae058d139974977b3fab5b96fcf9d502db76a9560d4517a4b8119b07330

Download Submit
memory/2096-15-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2096-21-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3004-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/3004-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3004-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download