c663f5162ada9d0cbca1614784061cf1e5f16171d180b1565c110b81e1d1166d

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe
Size

52KB
MD5

9249a009ba00a7ca9a704dcf89a9e112
SHA1

d5149cfd04f89b042b064f99e0578545baaae454
SHA256

c663f5162ada9d0cbca1614784061cf1e5f16171d180b1565c110b81e1d1166d
SHA512

565921e32d5ed9c8d5b08c35890712a35d43ff88920121ef2ccab3c546bf5d06600df59573713d5fb686f1abc323a945185247c31a17d39ef161c9d7df8c21ab
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vaTCFWpzgVr2z8h4:X6QFElP6n+gJBMOtEvwDpjBtELVe8a

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2036	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2036	2080	2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe	28
PID 2080 wrote to memory of 2036	2080	2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe	28
PID 2080 wrote to memory of 2036	2080	2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe	28
PID 2080 wrote to memory of 2036	2080	2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9249a009ba00a7ca9a704dcf89a9e112_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
52KB

MD5
cf8d573e6b35d70ad95272f81490cd89

SHA1
5ad02d55b24ed66abfa2fbd83e2c57c7bef7182d

SHA256
4803a9fa2965c81576c4ff013161187e16db4e6c5bb289460c6eb557155fbc81

SHA512
a5368a4af02aac3e9f007525586f07c06161936902a7a672f593c76878d0d47f7fdc79c3b7022bb3ffd088a89e84a8e6958e21bb26398d321e35b1e8690e8c50

Download Submit
memory/2036-15-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2036-17-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2080-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2080-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2080-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download