41a338e02098e133404547bba7b8bef78109ffe37a307dc106017e938d0da1cf

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe
Size

53KB
MD5

75445c3abff6a5f4c96ae233ca7a040b
SHA1

76eebeda71dc02afe5e0da59cea2eb1a8991b6b9
SHA256

41a338e02098e133404547bba7b8bef78109ffe37a307dc106017e938d0da1cf
SHA512

029c15c8444de80c55d8e75963bd0529fca9e9f77eeae228c4d0ffce658107b0e90cd8085c53f38ae9173c55d7959eb93d5bc201c7f7fa74b16d444882b65118
SSDEEP

1536:Dk/xY0sllyGQMOtEvwDpjwycDtKkQZQ6uB:DW60sllyWOtEvwDpjwFN

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000015df1-11.dat	CryptoLocker_rule2
behavioral1/memory/2924-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2060-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b000000015df1-11.dat	CryptoLocker_set1
behavioral1/memory/2924-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2060-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2060	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2060	2924	2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe	28
PID 2924 wrote to memory of 2060	2924	2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe	28
PID 2924 wrote to memory of 2060	2924	2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe	28
PID 2924 wrote to memory of 2060	2924	2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_75445c3abff6a5f4c96ae233ca7a040b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
53KB

MD5
e8d17005e76c79198fc45d5b8d29582c

SHA1
f6f3ca34f01501da7b6db8ba8a8157feb8a4e0b7

SHA256
1fcfd84917ec35fd0b2c2e7fead3575dca8fab52cfc14bfeb58f1bb8ae3d10e5

SHA512
c8a89ea79506ad954ad5efa6bfcf7342ecd887ea2d44a333fc88ded29ce3a030d4b65d97be69ec2bca5208a53113570f5c4d7fc53c11e474ea4f7a7699ae1bfe

Download Submit
memory/2060-18-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2060-20-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2060-17-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2924-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2924-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2924-2-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2924-9-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2924-15-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download