ef7b6b5b5bc9c58981286db3db61aee66d5d25ef05281522655336e25783ccdf

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe
Size

72KB
MD5

6122edaf9c27fe2b67c6d5790981225b
SHA1

d3432a36b509a7d2303559482f5797f28a551c03
SHA256

ef7b6b5b5bc9c58981286db3db61aee66d5d25ef05281522655336e25783ccdf
SHA512

922dff3b85c0671a5a2dc8cd8c7d7ffde74804ee420a8574e57ae09016b26f50b688d2171344825937bc91cf4328c3af22bc9fda2118d8a23316f28caaaddc66
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1rHst:X6a+SOtEvwDpjBZYvQd2O

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012254-13.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012254-13.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1680	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1632	2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1680	1632	2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe	28
PID 1632 wrote to memory of 1680	1632	2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe	28
PID 1632 wrote to memory of 1680	1632	2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe	28
PID 1632 wrote to memory of 1680	1632	2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-07_6122edaf9c27fe2b67c6d5790981225b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
72KB

MD5
8701d15a95c1fa4d71590c61298b4aff

SHA1
8d06a45194e625e677ca067ecd41b0604b9295db

SHA256
bdcabce7486e4712bd6e6cead2c6a45351c75316af882f5bec2af02b1dfda7dd

SHA512
2d1357154a363e043f0fb10adf5c243f63c68088b8d3bf903a5a242259a14d9d71720364bbe0dba313c4a8877ad53f3625d6ce0dd97e9d4de766c720328c0ed9

Download Submit
memory/1632-0-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1632-1-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1632-8-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1680-15-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1680-18-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download