c85c785613e99f4f6cc61b21ca646ba2bf54a4d2444e7d88ad97507f4c09a008

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe
Size

38KB
MD5

0a4ca29f0a063a8c2123d1aba82d0bc8
SHA1

b3ab1cdb9e0830ae9434ea953ad4ab5fe37f7459
SHA256

c85c785613e99f4f6cc61b21ca646ba2bf54a4d2444e7d88ad97507f4c09a008
SHA512

1b03def9e23aec71dc8341d39ad5598f42215162e1d83e9f1c7777f2fae304d67defc98bbdece7a37099e33abecdbc5b60a3b4e78eeb0ce1c5ffb738ed1bde86
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFCpvsb:X6QFElP6n+gJQMOtEvwDpjBmzDUpvG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122a8-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1712	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1712	2264	2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe	28
PID 2264 wrote to memory of 1712	2264	2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_0a4ca29f0a063a8c2123d1aba82d0bc8_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
38KB

MD5
bc49c5b5a6def3857306a2c4129acf96

SHA1
8f8399e00bf280b98fd7b4627f7c8f781b4ff1a5

SHA256
04664e86692f8fa081016444563b2f199963322f64a5fb12d1171951560c1972

SHA512
7ea882553a1fe43e3e380ae0374aa6ba22059e755a3f15776459a55691fd9090e820532336dd3dc1ae65825883ebed7d23ff5b7d204c32a2840d22e1c7d2f0af

Download Submit
memory/1712-15-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1712-17-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2264-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2264-1-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2264-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download