5ef44dbb12f261835b7add96fa450d61aff48f9ed9f69e4fedde3790da35a30a

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe
Size

72KB
MD5

99f72a65bc49c6012f8e2c56ff449e53
SHA1

e0f502fea48b44ca6cb7b917a83d4bc268249473
SHA256

5ef44dbb12f261835b7add96fa450d61aff48f9ed9f69e4fedde3790da35a30a
SHA512

e9a759c975f4d18509400181bc3ef0f2154249b0c0d50d8876a5d379317dd543c9b85d5063674d76a1dd5587633b1b8a5b30a0c29665c685ea419c1aa3006f2d
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1svq:X6a+SOtEvwDpjBZYvQd28q

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3060	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3060	1444	2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe	28
PID 1444 wrote to memory of 3060	1444	2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe	28
PID 1444 wrote to memory of 3060	1444	2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe	28
PID 1444 wrote to memory of 3060	1444	2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_99f72a65bc49c6012f8e2c56ff449e53_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
72KB

MD5
8dd099b73e2120c6f39d6db35cfb965f

SHA1
ee2944a54aa283cf1dff88a898d9a4a70ecc8296

SHA256
ab839f7fe5ec64c55a97f669348221cb789d3a5542b2cb43d20cf82bcbef24a3

SHA512
179d68e2a6cebd399793c992a45f7599ebf291bbb41d789cfdde5c93c63f0f8fb212f1e0d7017c4d2ba429248373fc2d75f046e6a5e48e2c9b982698d0f18646

Download Submit
memory/1444-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1444-2-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1444-1-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3060-15-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/3060-17-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download