9ce70b16b6c38d25ad22e5cee21a2946b1ed2eeb97e4c29deff6ff58da191687

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 19:04

Target

2024052131b97580eddac0ca21921fa313619339cryptolocker.exe
Size

41KB
MD5

31b97580eddac0ca21921fa313619339
SHA1

5d700d4c4a2a0c82dcc645598b4490a8e3e5001f
SHA256

9ce70b16b6c38d25ad22e5cee21a2946b1ed2eeb97e4c29deff6ff58da191687
SHA512

f948e0d6efd51f1ec2fa7629c15608e43e6e81843f1cc7d6714f627a968c3fb76a97b4d61e9dd31976fb2879017dbc0a27506d271a155921b8862460695b56f5
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSvuQTCyD/95z:X6QFElP6n+gJQMOtEvwDpjBsYK/fbDFt

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

2484 asih.exe
Loads dropped DLL 1 IoCs

Processes:

2024052131b97580eddac0ca21921fa313619339cryptolocker.exe

pid process

2860 2024052131b97580eddac0ca21921fa313619339cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2484	asih.exe

pid	process
2860	2024052131b97580eddac0ca21921fa313619339cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024052131b97580eddac0ca21921fa313619339cryptolocker.exe

description	pid	process	target process
PID 2860 wrote to memory of 2484	2860	2024052131b97580eddac0ca21921fa313619339cryptolocker.exe	asih.exe
PID 2860 wrote to memory of 2484	2860	2024052131b97580eddac0ca21921fa313619339cryptolocker.exe	asih.exe
PID 2860 wrote to memory of 2484	2860	2024052131b97580eddac0ca21921fa313619339cryptolocker.exe	asih.exe
PID 2860 wrote to memory of 2484	2860	2024052131b97580eddac0ca21921fa313619339cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024052131b97580eddac0ca21921fa313619339cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024052131b97580eddac0ca21921fa313619339cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2484

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
41KB

MD5
761044fd46389230ead07bb5c1a1e11c

SHA1
27ea631ad1fac2c79fa2fcb2d37e8e76c5896804

SHA256
b6f0b302c4a4fa71ba401a4bc32c80d68dfca00008175b4fca8d16c8ed9c368b

SHA512
e8bab79076857feca1c8d7e3c09b1c4e1d8e3bb93ce13c4be5c18f01f20f9955f2a2da605d40427f3c145840998b24d9a7854cb38501de533b34c78e12aafdc6

Download Submit
memory/2484-16-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2484-15-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2860-0-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2860-1-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2860-8-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download