5b197e47f0c5ffd60ddb7bf4d22834cb527980dbceb0ad64a23fff463113fe32

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe
Size

84KB
MD5

3928a4af51e6de4f3e52c681d43bb3ad
SHA1

4c985c8456a95c642ca04bb4a2d8682c4bcc3100
SHA256

5b197e47f0c5ffd60ddb7bf4d22834cb527980dbceb0ad64a23fff463113fe32
SHA512

5a91fbfd56a0ac55cfb8abab79d8616e4d765834a97a9d566334873e9d623cd3eb13153b14eb8863198babe181e4d11204fe4ae0cdea731abe2520a0e0312e62
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVNlVSLQK:V6a+pOtEvwDpjvp8

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013a88-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013a88-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2480	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2480	1856	2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe	28
PID 1856 wrote to memory of 2480	1856	2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe	28
PID 1856 wrote to memory of 2480	1856	2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe	28
PID 1856 wrote to memory of 2480	1856	2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_3928a4af51e6de4f3e52c681d43bb3ad_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
84KB

MD5
53722fa0a196cdd0cfed3d489b8bf470

SHA1
f34504cb2e55462e55bb658b01757df299867dc6

SHA256
150fd1d22742a8420fae136e13c255140c6d8eeaffa035d367032fce5aa8c226

SHA512
923a42a9405a5a3cbdcc8fecd6d12b6675f7aafe8bfaaf56c5734dfa3f3899cbd41f83231bc70d9e63bfe5c8fe28943b7bfb8241be1ddf06ffd2da9abcb67a93

Download Submit
memory/1856-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1856-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1856-8-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2480-15-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2480-19-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download