dea78ab42482c13e3d41cf3554c73f2411d3b56978dfbb98f8bb0c13a184215c

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe
Size

97KB
MD5

2f4981170b19646c4d7417025276f5b8
SHA1

177e17de8b4bc351d81e7ad18f6b870b98c86f91
SHA256

dea78ab42482c13e3d41cf3554c73f2411d3b56978dfbb98f8bb0c13a184215c
SHA512

781fd9a93dd1b19eb9a8cefae7fe638d6db15de67a55aa59fff008a79724e9017b5abe59bc231c230afbd548924e8536c425f7785ce77e353be60cf4eb78e53b
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgpQbr:V6a+pOtEvwDpjtzb

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012252-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012252-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2684	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2492	2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2684	2492	2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe	28
PID 2492 wrote to memory of 2684	2492	2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe	28
PID 2492 wrote to memory of 2684	2492	2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe	28
PID 2492 wrote to memory of 2684	2492	2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_2f4981170b19646c4d7417025276f5b8_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
97KB

MD5
21092a1cbf53c8a5b24338ca4011ded3

SHA1
3fbdd6b65311351d00e5e745d1500d15e75263be

SHA256
ca01feb483834f6a769edf5f493f4f8fca47d67eade61d969cbc446424b041b7

SHA512
b3d8a7e11fd05709edff9d81e35377cdfb9a857c25c3385e881de1613f4922f0d72ca76e3310766098717f4edcde4c51ad48045e4dfe3732cdd4c14e7556c738

Download Submit
memory/2492-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2492-2-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2492-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2684-15-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2684-19-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download