41893b65f163fab875ef807fcab91bd6ec2d326814e0eeb46d437972d9cb2f0c

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe
Size

98KB
MD5

eaceb5bef6cecff87a70e85b1a7638c5
SHA1

734083309189593c2c0dd7558ba51e439dd4e629
SHA256

41893b65f163fab875ef807fcab91bd6ec2d326814e0eeb46d437972d9cb2f0c
SHA512

159eed481decda5081ef714ec8ca95aa3185284dfc3eff7e27750098d38ec004a7c1e67c000ecbcd012f612175429704f4a0cf95b3aaa8a8212e3846becb2c0c
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgpQbCJjuz:V6a+pOtEvwDpjtzV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2448	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
640	2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2448	640	2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe	28
PID 640 wrote to memory of 2448	640	2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe	28
PID 640 wrote to memory of 2448	640	2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe	28
PID 640 wrote to memory of 2448	640	2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_eaceb5bef6cecff87a70e85b1a7638c5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
99KB

MD5
81a488f6669df72aefd61655deddd7df

SHA1
bbd8a3528fe9bad5e634bd0fc04d061d7dc70efd

SHA256
aed4329844d451e7f064d6c18acc7594740941077ba1a09f2700a9f2bce0c57b

SHA512
d50d0be91bdb4427404bced4426155867b833438305990e825c9fe5c88964330fd7f74f5b69438b56e826ea560b03b00c79eead0ace390f7269761aced481bf4

Download Submit
memory/640-0-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/640-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/640-1-0x0000000001CD0000-0x0000000001CD6000-memory.dmp

Filesize
24KB

Download
memory/2448-15-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2448-19-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download