9dbd54f2da5a93055772ff01851f9bce3af7db49337be8ad8db5ef2179cb2f76

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe
Size

45KB
MD5

7bb1bbcca0bae9e61d899eceb3751fec
SHA1

9930c271b48198362b14209c7eca2b8a1e8aab0f
SHA256

9dbd54f2da5a93055772ff01851f9bce3af7db49337be8ad8db5ef2179cb2f76
SHA512

30f005e9a70cdcf2d5c49c2c37a8cef79e8d8eb4e28456ab5a7d77905483777d4deeac44cbc2b54160d21ca7b0d89de8bc9dbe95ff849364ca3f9dcb196cb028
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLam5aFr7YOzzfm0EXsx:V6QFElP6n+gMQMOtEvwDpjyaYaFAh3G

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012240-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012240-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2744	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2744	2172	2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_7bb1bbcca0bae9e61d899eceb3751fec_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
45KB

MD5
00a074480a9d5fd9f51864892346fd53

SHA1
78c56f34e98e4580a9ec10c88e9b53eea6ca9365

SHA256
ed711c7588bdaa3b0172a270423241bc9b62e98e528f99bfc3e7bef867b347be

SHA512
116ee604291c426aeac710e062fe8e9c4b912b74d835962f9530a3c7d4f8a14a3da3cb3d130e6703612a5e77a7228147ada4600c013057348feb65ea97c515f6

Download Submit
memory/2172-0-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2172-1-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2172-2-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2744-16-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2744-15-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download