d0ad25aad9e04ab112195abd6d424914a6eed36dcca9e08193e0200497837cd4

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe
Size

38KB
MD5

85df5523fb70f4029934c40857aaa2b4
SHA1

caa1587271dd469ae12e6a47f35183e90c637eca
SHA256

d0ad25aad9e04ab112195abd6d424914a6eed36dcca9e08193e0200497837cd4
SHA512

fcf422812b04dd09fdfb74d46693ebaaff474fce5fb30f1bd9ad3c86a0852e6ad2e768698776fe6d3afae344eadeff490d261af1ab4542a548baac5604ef5b47
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLam5axJ5:V6QFElP6n+gMQMOtEvwDpjyaYaP5

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012253-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2888	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1740	2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2888	1740	2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe	28
PID 1740 wrote to memory of 2888	1740	2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe	28
PID 1740 wrote to memory of 2888	1740	2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe	28
PID 1740 wrote to memory of 2888	1740	2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_85df5523fb70f4029934c40857aaa2b4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
39KB

MD5
74fc3e17b47dbd29972407363f7a9689

SHA1
2f488a6d0ce4c0f08518dca14e151f7dfabe5ad5

SHA256
58d2dabe0fb92d64983dfc47ed63deb50968a465100a475ecb67f762f47262df

SHA512
8604af646002ed3353ec76a17bdb477a3cd372b860e924291a4579e13483e952593649c114ae357fb2b711a286f0819e027dd9a2487d54e5d658238821cc3d60

Download Submit
memory/1740-0-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1740-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/1740-8-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2888-15-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2888-22-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download