fa86fe14257e98d90de29847703356f38eb0e04b92bfe4b16d8dddc61bf64cf0

Analysis

max time kernel
149s
max time network
168s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 13:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe
Size

92KB
MD5

04232f92fce44cf425c9f790bb0d7632
SHA1

cda8954f8839ce064bf51fd83c9575f5e6f81c16
SHA256

fa86fe14257e98d90de29847703356f38eb0e04b92bfe4b16d8dddc61bf64cf0
SHA512

e1ab31a97d2f8929818493f488bf65c25884f8a0ef4e0f2ca4c86e03c8c9d977a33e33265647df73aa39923a086a2c1f89a4d7772c8e141ffb5f97baccb9b172
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwMg6:V6a+pOtEvwDpjtz+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012267-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012267-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2888	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2944	2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2888	2944	2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe	28
PID 2944 wrote to memory of 2888	2944	2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe	28
PID 2944 wrote to memory of 2888	2944	2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe	28
PID 2944 wrote to memory of 2888	2944	2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_04232f92fce44cf425c9f790bb0d7632_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
92KB

MD5
11a86591ed5140b81e6b7a67c521ec68

SHA1
502de282d652f20cf5d1e23a38081432fe89717a

SHA256
d130a190aedcfade58854ce6af05fbbf8508a75111610a0896ea2c639fad24f3

SHA512
7304660550788404e40ee6747b84512193f5a8ecb5af010e92d8674e9b7cc1ad1ab9f9e130ccf174c49b244b462348a18f413c1c2d14ed504cfe3f1dbfc4355c

Download Submit
memory/2888-15-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2888-20-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2944-0-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2944-2-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2944-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download