a379f587b9b0e879c666de8e130b6af137b52f9aabf1a54f0a73b34eee595489

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe
Size

123KB
MD5

ef1179d671b69f0b8ebbce0b6d2181e6
SHA1

9ea4e73cae94fe1f8f4f105f3131f6ede8f5c608
SHA256

a379f587b9b0e879c666de8e130b6af137b52f9aabf1a54f0a73b34eee595489
SHA512

2e77eeed748183879d550953e69aac6fbc5bf121646556836bf7ce365a53edf8b9b768c5777d801c3f588d438b75431037167a036d3d35d177b0dd3796ef6768
SSDEEP

1536:u6QFElP6n+gWMOtEvwDpjJGYQbN/PKwMgB:u6a++OtEvwDpj6zV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001231a-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001231a-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1964	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1964	2316	2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe	28
PID 2316 wrote to memory of 1964	2316	2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe	28
PID 2316 wrote to memory of 1964	2316	2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe	28
PID 2316 wrote to memory of 1964	2316	2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_ef1179d671b69f0b8ebbce0b6d2181e6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
123KB

MD5
9914353df0de6ee2b58f32b050cb906b

SHA1
26b0ae3345fb26237d6a31c0791627024f6b32d1

SHA256
0a2cce30b3d54910ecd7c88ed95bac8060240169b361c28a201164ec82ccaa71

SHA512
c2bfca6eb32c04f18c27d55906df021807c975da89e08141d90789b9c1ffaef6b5a2dde3484e2abfc15addc2c3184a89771c241affe63eb1597d1f548ae0b712

Download Submit
memory/1964-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2316-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2316-1-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2316-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download