1f5df789cad74156fbcbd3f22c30a49e4f1ef4706c9e1ef7d1c509931817c3ce

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe
Size

48KB
MD5

9700e868d576d333680a02e44fd39f07
SHA1

1997e168801e634337810e152ddd76c1379d4892
SHA256

1f5df789cad74156fbcbd3f22c30a49e4f1ef4706c9e1ef7d1c509931817c3ce
SHA512

d7e2ef78c7bb4edf1926ffdac62d411f2b8801bc8a11486ffe37aefece40ba56213f1f8af14e5f07eb9fdce15fd45fc987e3ea5acc5a6d4008e4289773c4a84c
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaaEqbIu55id3AMWZo:X6QFElP6n+gJQMOtEvwDpjB0GIWiWLC

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012249-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012249-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2556	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2556	2964	2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe	28
PID 2964 wrote to memory of 2556	2964	2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe	28
PID 2964 wrote to memory of 2556	2964	2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe	28
PID 2964 wrote to memory of 2556	2964	2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_9700e868d576d333680a02e44fd39f07_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
9a9e99c6ea461f5d0c6cd8a98ceaf8d3

SHA1
eb01996ec25aa59bfa304532aacbf9147e971127

SHA256
7c02f465afafd000dd403ce241e4a658b9f6b0518b456a45dc0b87bfb0095b0a

SHA512
7d04896f2f6409768a2eb8e44badfbc628ab25abc016af41d898d76f7fec751a4f92599142bccb4b388ab2e807ec488cede73633a1ad08dc21e7125e9fb08927

Download Submit
memory/2556-15-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2556-22-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2964-0-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2964-1-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2964-8-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download