1fbc7b57c4b9f1ae614895cbc6e124c8e5c718d150e9a44c33ae7a2e6429c1ed

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
Size

85KB
MD5

d1fdbf77257065578e7ad01294b55392
SHA1

ff27d56b600945b50a52f63f5cbd4b924f035eff
SHA256

1fbc7b57c4b9f1ae614895cbc6e124c8e5c718d150e9a44c33ae7a2e6429c1ed
SHA512

4899ff60eb66bfbd5e562e3e7ef308557285be27000e53428e7f2f65bdfa92e21c49f0774f8658a3fa88e88627c9dbd44dabaa7bf81d19ccaf812ae579089be6
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLa5VccPtNw5CS95yFPnYcU:V6QFElP6n+gMQMOtEvwDpjyaLccVNl6X

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

2564 asih.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe

pid process

2684 2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2564	asih.exe

pid	process
2684	2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe

description	pid	process	target process
PID 2684 wrote to memory of 2564	2684	2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe	asih.exe
PID 2684 wrote to memory of 2564	2684	2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe	asih.exe
PID 2684 wrote to memory of 2564	2684	2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe	asih.exe
PID 2684 wrote to memory of 2564	2684	2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_d1fdbf77257065578e7ad01294b55392_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
86KB

MD5
a83392244835386034a584b0940ddf79

SHA1
363627dc30ef6374acde485f71c157a0cdebc56f

SHA256
49b64751e1c3e1f9fedac0bd6d10d3cd50f0272db99782d004736e2a4f5e9d16

SHA512
b309c6553acf1de09f6825aa649be458427c78079288d6e32573057b5b9e7fb6270d60b1e64867003aa593ac60432a9345611515943711f8b0f5b3f27c0d7b1a

Download Submit
memory/2564-22-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2684-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2684-8-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2684-1-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download