14fa115e1ea7fefe44ea29b0df92cec0ca6cfbc71a21ba91ab902d80f8a43331

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe
Size

73KB
MD5

765f16fbf3ea80177e944243e69fbae8
SHA1

61a79c1866ba169fc87c8f1b40efed56878d2449
SHA256

14fa115e1ea7fefe44ea29b0df92cec0ca6cfbc71a21ba91ab902d80f8a43331
SHA512

1c24b26740dc7dbb6de0bc72a14c5c04f2ab482048994f1b556531a51e194abd1df8a776dcc4d1bd431b94d1211240769ec80c316a7796fdc4ceee37e789c423
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1UD:X6a+SOtEvwDpjBZYvQd2Y

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012254-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012254-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2012	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2012	2796	2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe	28
PID 2796 wrote to memory of 2012	2796	2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe	28
PID 2796 wrote to memory of 2012	2796	2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe	28
PID 2796 wrote to memory of 2012	2796	2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_765f16fbf3ea80177e944243e69fbae8_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
74KB

MD5
97dc4757c373dea9ea15fbef652e982f

SHA1
9d0b39a7aacb45d50915e1aae90281008239aa0e

SHA256
a477a55c3a1ab140c5a8c1cb2a7b1cd34e732b9e6bb6b55d4c356d8c6d3b36e5

SHA512
b7f0145c72fdfb3dbe9ac0b832407b6d01494f2a51575a4dc75c55ef24f1b035159c7d8eb7b2e1af5e78b7b360911ef071dbbbdca21f81c7701948835b0a1b13

Download Submit
memory/2012-15-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2012-22-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2796-0-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2796-1-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2796-2-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download