f90b4bf6fd99960d7e5becc234c6bcfc813dbba8e8e7fd49232269982bf56923

General

Target

2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
Size

5.5MB
MD5

97512fd53f2b734fdbee327d6cdff297
SHA1

efd56c8a61bb14fa0358cdc6e2c13eeea9fc9677
SHA256

f90b4bf6fd99960d7e5becc234c6bcfc813dbba8e8e7fd49232269982bf56923
SHA512

9c729d8ee67b56744348f4e729d88d3b072107e4c3ec381442ed4d3ff0b6621e2835c2ae88a2b061f49a745f5b4bf9b2fd03190ae2e1c9f2d9690e274b4aa236
SSDEEP

98304:B2TI98GkoP+kfhZ5Tgm7jdwg+Zl3dKxikhFmg+47eggcgiP05h2VC:OI1PvfhfhOZzkzmg+8egrghz

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 9 IoCs

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3004-4-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000015c73-20.dat	CryptoLocker_rule2
behavioral1/memory/3004-25-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000015c73-23.dat	CryptoLocker_rule2
behavioral1/files/0x000b000000015c73-24.dat	CryptoLocker_rule2
behavioral1/memory/1824-27-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1824-31-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1824-41-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/3004-4-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3004-25-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1824-27-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1824-31-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1824-41-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1824	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
1824	asih.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1824	3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	27
PID 3004 wrote to memory of 1824	3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	27
PID 3004 wrote to memory of 1824	3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	27
PID 3004 wrote to memory of 1824	3004	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	27

C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
1.2MB

MD5
90943ee8c86ff72f4b49b2b7ad1b2c14

SHA1
3293638297bce274cdc6c0c42982e4ecb8e492ec

SHA256
3d45c59213e4176019586c5ddbe201ad1953d89d60c91593fff8d860c58a4e02

SHA512
44c75ea02d491270e96a7daa22672c26e5783c8c59b918c3eb184110fef97096fba37744b51a005fc86bf654646b0154eb554fbd973a2c54b6db99929a89e10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
1.6MB

MD5
8e7f16a59299f6dfe783a4c070d90e09

SHA1
7c2e588889b06c16a022efd7cc5ff037932e4478

SHA256
f976e37e7dbe912ab274a7507dcdb61e8c0f83ec277c6aaaa9a0fa00260a7208

SHA512
2b6d6f329021768a53e5239d684d8e231947d3185953680098a6f999ff5dca8859518598b9ae0fd1713e4964ac59a523982d49ec88e85492370bfb8684d2d98e

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
1.7MB

MD5
7e4e7eb2e82b04eeae9123cfe76b41a9

SHA1
f476ce6e47a6cbadd0f81c8ed308b38d653e78ef

SHA256
f6b743f7e35b57cc7dd17810ecbe18e118b2dc86eaac884c1151a71764097b3e

SHA512
04a148db835061294b4dc1bad72b96faf08a4e963cf5939939838a4609e94cbd80cf8acc1c8783b887b0a325476d0c96032604cb5919f12bb65d34fad5997496

Download Submit
memory/1824-41-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/1824-35-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1824-31-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/1824-27-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3004-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3004-11-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3004-12-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/3004-25-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3004-10-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/3004-9-0x0000000077720000-0x0000000077721000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3004-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3004-4-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3004-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing