cf28ab7b2292b841d658a5511e10f21dec02a4529dc43562254d951a11e3955d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe
Size

45KB
MD5

5f51eecee92fd44100cac46117ec5b7e
SHA1

726ca2005dc3dd344d50591d55f92f5a2dca6e34
SHA256

cf28ab7b2292b841d658a5511e10f21dec02a4529dc43562254d951a11e3955d
SHA512

b47a071ea89d1943ea99f032cc96feb60178e51e25b1dcc4de8db52224a00e5b422e152310d5d139dceadf8368c340ba88e6b63cca39da5c04de232c9df76062
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaaEqbIu556yPRlas:X6QFElP6n+gJQMOtEvwDpjB0GIWvPRl1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012247-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2756	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2912	2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2756	2912	2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe	28
PID 2912 wrote to memory of 2756	2912	2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe	28
PID 2912 wrote to memory of 2756	2912	2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe	28
PID 2912 wrote to memory of 2756	2912	2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_5f51eecee92fd44100cac46117ec5b7e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
45KB

MD5
4e517770bc06383b0d089795620859a4

SHA1
0ad34b9a7d1994462572b7b3ce5005477035a9e4

SHA256
01880d0799d8b5f7e10c31849acdcf77ebf38d9139c35a5434c045af2305109d

SHA512
7068d90a3816d9dead7602220518c3fde9c8002318834ae8442b742301a5f5667e7a2e96f1b543f43c8efb2d3277f58c841f23ce16938fbaebf7bee55c2169b7

Download Submit
memory/2756-15-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2912-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2912-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2912-2-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download