56bbba47f703ff48638c3a56915fb4a0df5f4e6e40b85d5b12edea64bd99f408

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe
Size

117KB
MD5

7e5af85e09737a9049032ed496cb1d2c
SHA1

f6090acd86be9a9124c78a39b31247996820c841
SHA256

56bbba47f703ff48638c3a56915fb4a0df5f4e6e40b85d5b12edea64bd99f408
SHA512

469883e72a01b49f163903dd227264e9e9f4d69c9bfb4724198d7185ea8a113f13d03405a608c5c626b14361a2f757ec0683f9c885ff70bd1496727f2f049324
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj3GYQbN/PKwNgp01Qai:z6a+CdOOtEvwDpjcz8

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d00000001225b-11.dat	CryptoLocker_rule2
behavioral1/memory/2332-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2284-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2284-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000d00000001225b-11.dat	CryptoLocker_set1
behavioral1/memory/2332-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2284-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2284-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000d00000001225b-11.dat	UPX
behavioral1/memory/2332-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2284-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2284-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2284	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d00000001225b-11.dat	upx
behavioral1/memory/2332-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2284-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2284-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2284	2332	2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe	28
PID 2332 wrote to memory of 2284	2332	2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe	28
PID 2332 wrote to memory of 2284	2332	2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe	28
PID 2332 wrote to memory of 2284	2332	2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7e5af85e09737a9049032ed496cb1d2c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
117KB

MD5
f0e8b4365a351deb557810ff7af9e840

SHA1
c29a6e34910c0f4b20ecad38680468c3fec24ac0

SHA256
d1be878ac0b779a7913a3c38f0909eed5ce1b910cc824af59954cc50c2eb4855

SHA512
0c38df7b1a643dd0bc535a3be8201176a42601c266251023f275ff84030098bd109b9ea4b7e1dfac895a225111ae7c4e00544a138037c99194668c9983232eda

Download Submit
memory/2284-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2284-18-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2284-21-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2284-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2332-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2332-1-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2332-2-0x0000000001CD0000-0x0000000001CD6000-memory.dmp

Filesize
24KB

Download
memory/2332-4-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2332-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download