0383cd847859a5f7906ac545cdfe520279368f7bffb833cef4f71d6ca44f97e9

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe
Size

86KB
MD5

09e9889d3ef19e8445020d20e13cdff7
SHA1

0a488cc05d7080451d9b60630c6f828dfa2f48f4
SHA256

0383cd847859a5f7906ac545cdfe520279368f7bffb833cef4f71d6ca44f97e9
SHA512

c34ccfb2cad38793e2d896eea4ff2f44edd2a5d2416068fcf3d41873391819a4439f99a35868ccebd5cc2d85020052322493ad00c1b7fe85d7c1cd2a30a81891
SSDEEP

768:qkmnjFom/kLyMro2GtOOtEvwDpjeY10Y/YMsvlMdwPK80GQuchoIgtIJ/g:qkmnpomddpMOtEvwDpjJGYQbN/PKwMgp

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1396-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x00080000000120f8-11.dat	CryptoLocker_rule2
behavioral1/memory/1396-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2732-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2732-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/1396-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x00080000000120f8-11.dat	CryptoLocker_set1
behavioral1/memory/1396-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2732-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2732-25-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/1396-0-0x0000000000500000-0x000000000050F000-memory.dmp	UPX
behavioral1/files/0x00080000000120f8-11.dat	UPX
behavioral1/memory/1396-15-0x0000000000500000-0x000000000050F000-memory.dmp	UPX
behavioral1/memory/2732-16-0x0000000000500000-0x000000000050F000-memory.dmp	UPX
behavioral1/memory/2732-25-0x0000000000500000-0x000000000050F000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2732	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1396-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-11.dat	upx
behavioral1/memory/1396-15-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2732-16-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2732-25-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2732	1396	2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe	28
PID 1396 wrote to memory of 2732	1396	2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe	28
PID 1396 wrote to memory of 2732	1396	2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe	28
PID 1396 wrote to memory of 2732	1396	2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_09e9889d3ef19e8445020d20e13cdff7_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
87KB

MD5
d625bf186c32703ec5d07b646b884b98

SHA1
ff873e9207f19ca422dd6fdd2c1104c76b91c583

SHA256
4fab1218f4597fc09ec9cc2184aade2f38c39926eefb22b7a8a897c4b350246c

SHA512
494247788f129d3d67a8c254429c3efb2b19ac2d95d3dc965ec799b2cc06f6fd27f2950b6b60a7341c93fca43abb5abbe55a13d3682222ae22d4655ec1300d68

Download Submit
memory/1396-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1396-1-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1396-2-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/1396-4-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1396-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2732-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2732-18-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2732-25-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download