bfef30c36f49ce4ddd80ff387adebc3a0e4bac4c9ff2b496b08c8bc8ca738476

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
Size

42KB
MD5

0c31db75f9f138f8c9e14f9d6d0adec6
SHA1

e182c00de0c7096881b4ce96c77103fc12c84dfe
SHA256

bfef30c36f49ce4ddd80ff387adebc3a0e4bac4c9ff2b496b08c8bc8ca738476
SHA512

b5a5602be5be7bf0dd348d9ba92b925534a69fe320d8354c9f1b81a95ab3e4ff9237ecda416d978a8c7600440915a538aa164ee48c7c7fe6bc3ff0ab87de5d34
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9m:X6QFElP6n+gJQMOtEvwDpjBmzDkWDA

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

1972 asih.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe

pid process

2032 2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1972	asih.exe

pid	process
2032	2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe

description	pid	process	target process
PID 2032 wrote to memory of 1972	2032	2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe	asih.exe
PID 2032 wrote to memory of 1972	2032	2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe	asih.exe
PID 2032 wrote to memory of 1972	2032	2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe	asih.exe
PID 2032 wrote to memory of 1972	2032	2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_0c31db75f9f138f8c9e14f9d6d0adec6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
42KB

MD5
8e87b4bb6e05519b6037127b4fce2fc2

SHA1
38d1d3dae3e5ef3d2054033eea1a97d324102a78

SHA256
516dcf1d55eb2cb889165c73ea6418f2886ee237d773b8b7919b473c80170965

SHA512
d671e769e9ab3e965ba1e2d4df8f04f776bf42f600dc83a8ae910df945317412fd67c97baeb1ff238ea93ff5b7fa25ec01eca05cd746e160014d2d5ce0726808

Download Submit
memory/1972-22-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1972-15-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2032-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2032-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2032-2-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download