f11890c271cd6761303505cefdd8272d6d6f723f746c7f0ee48d71c4d89bb1d9

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe
Size

49KB
MD5

5a3ea99f1f9e7900463c72f9349115ed
SHA1

91a6e9c5e41c4775e86e260f49447688921c1968
SHA256

f11890c271cd6761303505cefdd8272d6d6f723f746c7f0ee48d71c4d89bb1d9
SHA512

3b01842da8ad114851ae1b10166f322d1c173e890b5a55bd77bda3970c7723a281b2fc2c0ee8aac9e77bd4c3a51f24de2cbfd9d3370b5bf7608f44b43849de18
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qnTHY+M:79mqyNhQMOtEvwDpjBxe8Ge

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000012252-11.dat	CryptoLocker_rule2
behavioral1/memory/2456-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2444-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b000000012252-11.dat	CryptoLocker_set1
behavioral1/memory/2456-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2444-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2456	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2456	2444	2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe	28
PID 2444 wrote to memory of 2456	2444	2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe	28
PID 2444 wrote to memory of 2456	2444	2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe	28
PID 2444 wrote to memory of 2456	2444	2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_5a3ea99f1f9e7900463c72f9349115ed_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
f34e0da2b484ca9b8a2594cca5bd0a95

SHA1
4014371bd8ae585c6f2ed5fd5e0a0b16c030cabe

SHA256
b274162c00e3fce4aae4e6dcadad849f12e36943875e910ed5e982e3bac647f3

SHA512
6981c74382367ad42b986cbf222bbf17bba2d2aeb674fa18a3d1ad2420b5193572d57dc8a051d04bc93d44b93db377c7f9b3ad78504a9eb60ec282d7d5b1058e

Download Submit
memory/2444-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2444-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2444-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2444-3-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2444-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2456-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2456-19-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2456-18-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download