fd807e8c81d79adbc3a4b7f1986611985f686775a14c04d63b680ee6709845b3

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe
Size

52KB
MD5

a24aced771ed77f6f6c712aa25950448
SHA1

dc0e28da2da03d835be686792b2a804c0f04f55c
SHA256

fd807e8c81d79adbc3a4b7f1986611985f686775a14c04d63b680ee6709845b3
SHA512

fa6de0c21355d40c072a8cb8f630e2d73a265bbf37ea2be7207cac68b2ac87256b328b060449a7d231f80c66ebabee7682bcd027a32ea0d5edff938fd8450343
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qnTHGf04g/:79mqyNhQMOtEvwDpjBxe8GGfq

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral1/memory/2972-8-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c00000001227b-14.dat	CryptoLocker_rule2
behavioral1/memory/2548-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral1/memory/2972-8-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000c00000001227b-14.dat	CryptoLocker_set1
behavioral1/memory/2548-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2548	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2548	2972	2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe	28
PID 2972 wrote to memory of 2548	2972	2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe	28
PID 2972 wrote to memory of 2548	2972	2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe	28
PID 2972 wrote to memory of 2548	2972	2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_a24aced771ed77f6f6c712aa25950448_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
52KB

MD5
f20ad48bbd82393436bab0c9b8f289aa

SHA1
931d8efef307b9a584978ddcf023bde64a9b7545

SHA256
0d94c46c5b5ebaa16154fee0f004a13c32d7093cd68a243524019b1448c27f72

SHA512
4dacff9a85ed1933e0a0f1e6ff8489d6e2e238641a77f6572d655940c7f75ea6a04355b9293fe8c2f5c44c4ec185474377a43f7e6dcb24962fad2dcfb971578e

Download Submit
memory/2548-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2548-17-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2548-24-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2972-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2972-1-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2972-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2972-8-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download