dd9a6ab0da53fdc0dc788094411b412bb2213845a984f46c691c7883397ce849

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe
Size

46KB
MD5

da176fda146dda66456b2c20e3f89c7b
SHA1

6ac3ccec0b5098151504263f101cb41726567857
SHA256

dd9a6ab0da53fdc0dc788094411b412bb2213845a984f46c691c7883397ce849
SHA512

7158f591c06061f50282b28bbf8235cc375f5636be5ea1f9cffcc48753f6b868f27ba5e14aa6d7f12a9a510340a26fda696c471daeef7b87f5bf104878712c1a
SSDEEP

768:qmOKYQDf5XdrDmjr5tOOtEvwDpjAajFEitQbDmoSQCVUBJUkQqAHBIG05W2Mobez:qmbhXDmjr5MOtEvwDpj5cDtKkQZQG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a00000001224c-11.dat	CryptoLocker_rule2
behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000a00000001224c-11.dat	UPX
behavioral1/memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2612	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2612	1048	2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe	28
PID 1048 wrote to memory of 2612	1048	2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe	28
PID 1048 wrote to memory of 2612	1048	2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe	28
PID 1048 wrote to memory of 2612	1048	2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_da176fda146dda66456b2c20e3f89c7b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
46KB

MD5
b02c9b8cb26e19fcbcf10c66622c91e9

SHA1
feb28c0ddd1044740e79c2fffd5edd37a6353cc8

SHA256
955ac69bc1d68c29c4f80af8ffd58b37c69dddfaaf1739df9b2c789433e54c59

SHA512
62c15dc20827db3288ce0281daefc1453864466aa5541c55c1c02af7d23a9fa8c3ca216f919ec9841ff6151da4213d21ab08a6c64b842181db3c992d5f841e24

Download Submit
memory/1048-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1048-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1048-2-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1048-3-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1048-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1048-17-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2612-20-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2612-19-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2612-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2612-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download