82309afe570cd979c77841864fe765268972313c4d02c70928b381ab96a46fa4

General

Target

2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe
Size

58KB
MD5

9736c4ef9807ad912eb5917c98963c08
SHA1

00d418d5e45ef5a3f9183dc88c92b3c4228dbd02
SHA256

82309afe570cd979c77841864fe765268972313c4d02c70928b381ab96a46fa4
SHA512

172068a95486236ecf2c661b2b89e213d65c30ab3f35434e9c65996b6f52c46c20d6166de430ed0b2dd1a3c42e0423161852354b5592b889cee96381f7310608
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YMLam5appgcmM:z6QFElP6n+gKmddpMOtEvwDpj9aYaQ3M

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x0009000000012252-11.dat	CryptoLocker_rule2
behavioral1/memory/2476-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2476-27-0x00000000026C0000-0x00000000026D0000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2352-28-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x0009000000012252-11.dat	CryptoLocker_set1
behavioral1/memory/2476-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2476-27-0x00000000026C0000-0x00000000026D0000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2352-28-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x0009000000012252-11.dat	UPX
behavioral1/memory/2476-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2476-27-0x00000000026C0000-0x00000000026D0000-memory.dmp	UPX
behavioral1/memory/2352-28-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2352	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0009000000012252-11.dat	upx
behavioral1/memory/2476-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2352-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2476-27-0x00000000026C0000-0x00000000026D0000-memory.dmp	upx
behavioral1/memory/2352-28-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2352	2476	2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe	28
PID 2476 wrote to memory of 2352	2476	2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe	28
PID 2476 wrote to memory of 2352	2476	2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe	28
PID 2476 wrote to memory of 2352	2476	2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_9736c4ef9807ad912eb5917c98963c08_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
58KB

MD5
4f75c2b547647240c8afb7802f456b05

SHA1
08cfbba0dbf7bd1891c5027b98ad298de9bc3f26

SHA256
f16d7b62412352db3bebaadd33452a807c5b65a6e8ed325d51da424d182f8146

SHA512
bece0a9f55765caeb03574ab53f96de7688c0477fc0d2ea0f011da2157fa55db0358d8043e25645c9e382ceb0852574b5a3ac8e29998f70fab269563743de9df

Download Submit
memory/2352-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2352-19-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2352-21-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2352-28-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2476-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2476-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2476-2-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2476-4-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2476-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2476-16-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2476-27-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing