c038e2305f5f2a67dd36de2cb373ee662f77b348fe130f305ca4e0b04fc0f6dd

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe
Size

38KB
MD5

b933857049c7871c1e0bb021304c5216
SHA1

6f4c45d45cc7114607252c2e7b1e1551d46cff4f
SHA256

c038e2305f5f2a67dd36de2cb373ee662f77b348fe130f305ca4e0b04fc0f6dd
SHA512

368a6eb51a478b5ece9cc85c2a55a4e9242008fe3f7ad2f6edc2db8153e2e71ae138516ae03d10f47a24ab0c5ab610aa853e2b148b8c13e463d4ec78d017e0f1
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSl:X6QFElP6n+gJQMOtEvwDpjBsYK/l

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012232-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012232-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2284	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2284	2080	2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe	28
PID 2080 wrote to memory of 2284	2080	2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe	28
PID 2080 wrote to memory of 2284	2080	2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe	28
PID 2080 wrote to memory of 2284	2080	2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_b933857049c7871c1e0bb021304c5216_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
38KB

MD5
89f5a7d11f3e937ee982d5472c5fb889

SHA1
6820bf4cec2b90a0c7938ebd7cfe5fe80df088a4

SHA256
8d4594be99be9fdc7c8728c0515caf6d4056e513dd8a7b6963d18a77c82fd9dd

SHA512
4633bf1e60cfbe6a0606072c6a75c4713b7bc00d98b07c215af165ce4d0f94d1c35fcc879fc202b81e62f8adf189e345ec3afd2e4e36144005306a62908070e9

Download Submit
memory/2080-0-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2080-1-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2080-8-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2284-15-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2284-22-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download