df5a9cfd8ad83c30c2dea350e5de15c1263587665b2c1b335f3f4005b385dc22

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 10:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe
Size

41KB
MD5

05b42cb6a14bfb1b88f57d19d8d578e5
SHA1

444415cea3ce035a047b5d0573d274a737fdd02f
SHA256

df5a9cfd8ad83c30c2dea350e5de15c1263587665b2c1b335f3f4005b385dc22
SHA512

ac5f1ed371dce824c2c5d07d73ebff061699b072f48239f9ab2241f5c8f3bd14e847c49a3fee0d0242684ebc615c724025e32b39821f912fc4fd04b55c686ab6
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HKcfr9Ori:X6QFElP6n+gJQMOtEvwDpjBsYK6r0ri

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000143a8-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000143a8-12.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2648	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2616	2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2648	2616	2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe	28
PID 2616 wrote to memory of 2648	2616	2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe	28
PID 2616 wrote to memory of 2648	2616	2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe	28
PID 2616 wrote to memory of 2648	2616	2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_05b42cb6a14bfb1b88f57d19d8d578e5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
42KB

MD5
d3fd4cf87ddaa0bbd77af5fc079d4a4c

SHA1
abb67c3a7744dc7a853f43070b01d59c9db2cd3f

SHA256
fe06fca30d6f167a551b55e5e675551066a3320a588ff8785963abf865cfe2c9

SHA512
fbbe51f31a2dc26c01ed56a555670d3d7553d2da186941394df9e1f9e4e250394603bf6a52430aabc94ef202c224ed3e7851ce0d5b91455e6fbba6b2e36cff39

Download Submit
memory/2616-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2616-1-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2616-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2648-22-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2648-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download