cfc7343cb335c4d8332cfe68122b8b7902a97cc7f4cfb942a0211090f6298fc4

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe
Size

31KB
MD5

74547209efff3249b75bf95e40592cbc
SHA1

5bd42485a64a9444dac0068372a811e0c2e9905c
SHA256

cfc7343cb335c4d8332cfe68122b8b7902a97cc7f4cfb942a0211090f6298fc4
SHA512

38f0aaea9466418cb105d5cb1c3d175b08759762e3190e768179f8933e1bd8f81e860d4a4eba66982f153f67a02dc9157435757a41765ba49d4360ada03ff309
SSDEEP

768:q0ZziOWwULueOSdE8tOOtEvwDpjeWaJIO/xOcsT4:q0zizzOSxMOtEvwDpj/arMHT4

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b0000000139e0-11.dat	CryptoLocker_rule2
behavioral1/memory/1160-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1888-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1888-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/1160-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1888-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1888-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/1160-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000b0000000139e0-11.dat	UPX
behavioral1/memory/1160-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1888-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1888-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
1888	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1160	2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1888	1160	2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe	28
PID 1160 wrote to memory of 1888	1160	2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe	28
PID 1160 wrote to memory of 1888	1160	2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe	28
PID 1160 wrote to memory of 1888	1160	2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_74547209efff3249b75bf95e40592cbc_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
31KB

MD5
e459eb6dcf035cf0ac35d8895f86b576

SHA1
b85852ec416029e9af0f348cbef3cf80385b47f3

SHA256
6463050e26d58875dd65fae2832182620bfe357d06c05b03c29259f4d417f349

SHA512
830250db4969334ebc5632d7da9224b6c3822432881e451235e8b1cfed30ef929b4f0a8fc313ce0fe8766ea2598a53f3e04df462bce16f67bfac70bf0732b9a5

Download Submit
memory/1160-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1160-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1160-2-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1160-9-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1160-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1888-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1888-20-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1888-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download