375da68c227301badf0b1753aab944ba45c07930fec0c6d3f184a3adef997622

Analysis

max time kernel
172s
max time network
182s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe
Size

54KB
MD5

bbd1ac9f9b6dfbc0cce4e65d70a3a9ee
SHA1

93023baa7550346e0826df3458bb2c0a839c44c1
SHA256

375da68c227301badf0b1753aab944ba45c07930fec0c6d3f184a3adef997622
SHA512

d80724a860a1a38d3c82b9065a01c3adb1d26111a1197c5de4dffe4663b6607a764dbe17fca0e9533ff595c0afa817856d993e463febcb7eb97b531b10d17402
SSDEEP

1536:X6QFElP6n+gJBMOtEvwDpjBtE1yILJ0VO:X6a+BOtEvwDpjBOR

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012261-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012261-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
292	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 292	2816	2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe	29
PID 2816 wrote to memory of 292	2816	2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe	29
PID 2816 wrote to memory of 292	2816	2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe	29
PID 2816 wrote to memory of 292	2816	2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_bbd1ac9f9b6dfbc0cce4e65d70a3a9ee_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
54KB

MD5
da17e073bf2b1f606185ea6dcf3afb0c

SHA1
e6f4f9b19503101a75ed4b9a828fae6e812013ba

SHA256
97b629b5b1788c0e90143a8ed84985ea457e417ff2eb43fa394774e545344551

SHA512
c5e9ab0e265cdf94cc5b43bd3df84e313053062694072e93e6eb6df59b6c3b1832b2dc5e0b966d9f1633704418981706cd79aad184ec4580259988cd326516d4

Download Submit
memory/292-15-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2816-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2816-1-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2816-4-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download