de48daa26ab9bef1f1f24fc4436f58d8d266462ef542bb718b577d5724f664fe

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Size

42KB
MD5

1fdbddfc21d9aff1fd3b110abdb1a0bc
SHA1

8d895081f2ee9da51f8d090c3b2469be017c054d
SHA256

de48daa26ab9bef1f1f24fc4436f58d8d266462ef542bb718b577d5724f664fe
SHA512

b0456099efc30e6f8347adc829b15dabcaaa3f37c967e4eefb562e10d697304cd3577e54866ea2e607ab4aba1792d8f24ec249f586434dd7acdcf3158d0a2412
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9o:X6QFElP6n+gJQMOtEvwDpjBmzDkWD+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

2564 asih.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe

pid process

1760 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2564	asih.exe

pid	process
1760	2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe

description	pid	process	target process
PID 1760 wrote to memory of 2564	1760	2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe	asih.exe
PID 1760 wrote to memory of 2564	1760	2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe	asih.exe
PID 1760 wrote to memory of 2564	1760	2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe	asih.exe
PID 1760 wrote to memory of 2564	1760	2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
42KB

MD5
f1a367238a8936d47ba5842b075c9859

SHA1
7839a13579685beabcc6ef86a4e40363296bbe28

SHA256
ad90a54109889f75db3629bf9e9375449cd9e9377f700f03d87a73e262580cf8

SHA512
71f4eaa18cc482f0a864efa5e25e2c038622eeb8b88374c15197d82f4d9309f4277c777bb3004a08c7eb8b06a87a74160d54a53e55e86b520a5065a1564e74da

Download Submit
memory/1760-8-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1760-1-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1760-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2564-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2564-22-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download