3d1a1c24079a69fddab65aeacce28bb71790a6d918ea213e08208e74c87333a8

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe
Size

61KB
MD5

3ed491188f97e9cebdf110fb8639c5bc
SHA1

22e54cf2aa409e79d6d7b8376b67948d48b1a388
SHA256

3d1a1c24079a69fddab65aeacce28bb71790a6d918ea213e08208e74c87333a8
SHA512

1f6531d76be2c87b44a6589a207f4b0b70b41a2db8bc577522c642c96c4b64478ab9fc10969b2e235a812a0e44061bf5e6e65f846cd731dd696f7a60787deb54
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVCbt5F:V6a+pOtEvwDpjvY

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000155ed-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000155ed-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2252	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2252	2216	2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe	28
PID 2216 wrote to memory of 2252	2216	2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe	28
PID 2216 wrote to memory of 2252	2216	2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe	28
PID 2216 wrote to memory of 2252	2216	2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_3ed491188f97e9cebdf110fb8639c5bc_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
61KB

MD5
c3ec5fa45a8f3685596faaabdd5af1e8

SHA1
8d89b8757b632a708dc9036def63cfb17da1ee2d

SHA256
4f9af737361ea421c74f2008c9fb4b6751465411af81e0c59d0eb8dbd96ca7d4

SHA512
86dd7e3a7d60f90e21c32764f039226d98f320f85a9f347ddcb44f78f9f16058e560e1f024278cea0a652799da95887b2254d66155904eabad43d91c9e31c682

Download Submit
memory/2216-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2216-2-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2216-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2252-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2252-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download