4820e5d62b12d843bd8718015bf3effb8f45b90c19128f546d99e27639e21d01

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe
Size

48KB
MD5

a5eee7bbabd3cd43dd761e06b99e9cfe
SHA1

d3b80a1d2420b113357feb30a7c2d20f4f812e2e
SHA256

4820e5d62b12d843bd8718015bf3effb8f45b90c19128f546d99e27639e21d01
SHA512

4f6b7dcd0facf1424f013456c3a02cf781efe10d4a326512894bddf65c17e13ffd9e32b6724ab1afa8105e62bcb002cc0fcaa435b3154a1a121daa38f1a9d943
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjeJQ7pojakNfW:V6a+pOtEvwDpjt

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122db-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122db-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2668	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
828	2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2668	828	2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe	28
PID 828 wrote to memory of 2668	828	2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe	28
PID 828 wrote to memory of 2668	828	2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe	28
PID 828 wrote to memory of 2668	828	2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_a5eee7bbabd3cd43dd761e06b99e9cfe_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
bee4463c98c3ebeba351988de64f4b3b

SHA1
c1b0fc2346afa01bd842c167db60da6fa8a7f9e8

SHA256
81e213e3cb09c8eec58a7612fd3b9db6b872e768546119f318b4db0eab784066

SHA512
0fd9748ab296ee99ef8f9af7c1bf4027370a81a959828f8f5b828788865cc09d7c54dce6ffe21c0ae45c3799419c7a9b71639b4da4f7e721682ee63c9488f9ad

Download Submit
memory/828-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/828-1-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/828-3-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2668-16-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2668-15-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download