5f244fd30dafd27072792bc1ee991292dbbe617c95bb421539911ba01f626115

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe
Size

104KB
MD5

588d49a694e287a259df0f2d9dd9af69
SHA1

29ab60df90f3a6a717fcbbb593ef1385fc3b3921
SHA256

5f244fd30dafd27072792bc1ee991292dbbe617c95bb421539911ba01f626115
SHA512

69749c01819a0bbec95271b4fa6670878a7cd3ab3173ec4c82924015a885efd4fd378cfa795e098391d4004943635f2d91a5da43bf8f448afa2148f88755e5af
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgpQbCJhHK:V6a+pOtEvwDpjtzf

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224c-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1756	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1756	1932	2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe	28
PID 1932 wrote to memory of 1756	1932	2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe	28
PID 1932 wrote to memory of 1756	1932	2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe	28
PID 1932 wrote to memory of 1756	1932	2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_588d49a694e287a259df0f2d9dd9af69_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
104KB

MD5
099c36166ce15021cee8ae39dac27031

SHA1
7580745740bd5161900416fc21dfdf5197a3d906

SHA256
a4c2cf89b9174b007f42e7b1cb009aa86d665b80e9e4834f41eb22f9b5dab398

SHA512
5d5569ce4f484a14c78dae4561c05638e1e17d4e90017de2fe404d0e2f839cc2a7cf961979a8804ea6894e4d4bc1f6d27b6382d6a1800f74aaba052c0fdb3320

Download Submit
memory/1756-15-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1756-17-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1932-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1932-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1932-3-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download