69f2b2661805f78273e28f7e639786aaf03227efd617936f352fa4fcee9a778c

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe
Size

92KB
MD5

25715cd4853b47c58e8b0339aa54f50a
SHA1

82b87929f5f534c1b95d6fd168d059430fbcea7f
SHA256

69f2b2661805f78273e28f7e639786aaf03227efd617936f352fa4fcee9a778c
SHA512

2b26167f98ea12f6cc7e36aa6559d4978936525a3b8c101e0bfe3b304a762d81cf402efacfbf588dbc3870b4fba61d9669322085dcc75125cb8f8873de2d83ca
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwMgL0e:V6a+pOtEvwDpjtzp

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000013413-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000013413-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2552	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2552	2876	2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe	28
PID 2876 wrote to memory of 2552	2876	2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe	28
PID 2876 wrote to memory of 2552	2876	2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe	28
PID 2876 wrote to memory of 2552	2876	2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_25715cd4853b47c58e8b0339aa54f50a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
92KB

MD5
440e926c7ae226d0a012afd53ee324d1

SHA1
abcb0d26b96dc995906dbc0de387a7fb73f984fa

SHA256
902147aa2d1f014e7a58c2798da74683b8a6a549f4cfa66be0bd46470d276fd6

SHA512
7615aa0ac1f8b3a5eb437b2273a5bb74811b9353c59e4637ab5b7fdefce3861bee078771c113fd87bd2a52fe4b1768ffcc4b0fbc814966d699e3e62ccf629a55

Download Submit
memory/2552-15-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2552-22-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2876-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2876-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2876-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download