35d1ec042673090fe3658a59436d93e8e81989708dbfa6828052d8189167bc6a

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 04:45

Target

2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe
Size

38KB
MD5

d900265fcecddc09f8a697131352f33d
SHA1

d9493b1d6409059bf7072ae40b0f0bda2b3089c1
SHA256

35d1ec042673090fe3658a59436d93e8e81989708dbfa6828052d8189167bc6a
SHA512

e78da0827f22ed750414fd6d3cfd9114ea62832619b966a3d00fc608b02cbd24629fc3a2e91e581294630a91c88365f2de4493679881a143d16402ad793e847f
SSDEEP

768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6WaJIOc+UPPEkLpGO:YGzl5wjRQBBOsP1QMOtEvwDpjgarrkLX

Score

9^/10

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/memory/1896-2-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a0000000143fa-11.dat	CryptoLocker_rule2
behavioral1/memory/2872-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/1896-2-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000a0000000143fa-11.dat	CryptoLocker_set1
behavioral1/memory/2872-15-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2872	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1896	2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2872	1896	2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe	28
PID 1896 wrote to memory of 2872	1896	2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe	28
PID 1896 wrote to memory of 2872	1896	2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe	28
PID 1896 wrote to memory of 2872	1896	2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_d900265fcecddc09f8a697131352f33d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2872

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
39KB

MD5
efbbc2de0486662087f859cd482074c8

SHA1
f7b17ce59c3eb2739824e51ed8a4afcb3d35df7f

SHA256
7a65fc89b9d7526165014c7714d86d688ee915fc7337e26ed778de2873a5901f

SHA512
31f1052bcada76499f6b7a816ea3904dc2e4f55eaa5a4c365e5ff5f86f0884853c7c1b1bead2797d09829e6be8f5fe02940d0058ef89f44c4d9741c6eb313ed2

Download Submit
memory/1896-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1896-2-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/1896-1-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1896-4-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2872-15-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2872-17-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2872-23-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download