cbd83e1fd221da431a297a17be52b4a9ecd7fa308a3b07f5f6bdab614c9d3744

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe
Size

48KB
MD5

5b67cdb793e3335bb39ed0e136d84b46
SHA1

705fe65896bf35228ae20f2fe0fc7bbfe5196d8a
SHA256

cbd83e1fd221da431a297a17be52b4a9ecd7fa308a3b07f5f6bdab614c9d3744
SHA512

45dc4c85aa28de4f09c0a4fb6924cfc1437af3f4c47593cd14ea17595542b8e2dbad9b65e1ab243aa58d56857bc24747601f26404fd40d5f19620afb50b95a0a
SSDEEP

768:qmOKYQDf5XdrDmjr5tOOtEvwDpjAajFEitQbDmoSQCVUBJUkQqAHBIG05W2MoL5Y:qmbhXDmjr5MOtEvwDpj5cDtKkQZQVi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/3024-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c000000013113-11.dat	CryptoLocker_rule2
behavioral1/memory/2092-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3024-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2092-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/3024-1-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2092-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/3024-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2092-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/3024-1-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000c000000013113-11.dat	UPX
behavioral1/memory/2092-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/3024-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2092-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2092	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2092	3024	2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe	28
PID 3024 wrote to memory of 2092	3024	2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe	28
PID 3024 wrote to memory of 2092	3024	2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe	28
PID 3024 wrote to memory of 2092	3024	2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_5b67cdb793e3335bb39ed0e136d84b46_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
48KB

MD5
b1768ea9da8b3161a36e81a14a779596

SHA1
cb26c28be63e4b05f4a942f5ad8eaa8f5d357c3d

SHA256
7ab539ad5b893e74bff53bf25e1f8b5992cb9b9edda994406be4bcbd0a5aa6f1

SHA512
ccf2ea778ec3f0cd911a90b5cbaa13207824ab7f9a45492b5ef077ea2c8972e18ffa5a5465dd8b1eedd4fdb5876cbb04852b9c66f656f6bd929007ef2b6462a4

Download Submit
memory/2092-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2092-26-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2092-19-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2092-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3024-1-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3024-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3024-2-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3024-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3024-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download