a1730fbd2cb8104d71cceb8e173359ef06dd6240cae3dd5eaba96145145af238

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe
Size

52KB
MD5

6c04724aa88de57155d86811bfd15057
SHA1

cdaf12ffa5d83e93fb16cbbfa40688deb03358ac
SHA256

a1730fbd2cb8104d71cceb8e173359ef06dd6240cae3dd5eaba96145145af238
SHA512

235ecc107b0c72ec9f91030212843bec91350f334a80779a48b6c29b81963a04cdca5d4eac7d265fbb0900e96a46e21819f37f64725fba28d1f50dfbe7bf2803
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qnTHGf04gsI:79mqyNhQMOtEvwDpjBxe8GGf9I

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2
behavioral1/memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2004-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2004-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1
behavioral1/memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2004-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2004-1-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

2972 asih.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe

pid process

2004 2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2972	asih.exe

pid	process
2004	2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe

description	pid	process	target process
PID 2004 wrote to memory of 2972	2004	2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe	asih.exe
PID 2004 wrote to memory of 2972	2004	2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe	asih.exe
PID 2004 wrote to memory of 2972	2004	2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe	asih.exe
PID 2004 wrote to memory of 2972	2004	2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_6c04724aa88de57155d86811bfd15057_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe
Filesize
52KB

MD5
31baf12280bf6713ffac3ba4c0147b3e

SHA1
fbe51fef031dd83f17e36bd47c6ea45071d05d47

SHA256
5228a57bc5b50e155937edc5dbb553c34f23cf82a0a6112f13f0e3f7c1c31f74

SHA512
87b362f216f542bae53c4b498ddb2c2396404eba9ee4e97d06ef398ff185ef7bd78a81c68e9f0d95233f0f7d93c511186c36c24b8f9ba1ab1b0e8e5754cbf895

Download Submit
memory/2004-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2004-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2004-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2004-1-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2004-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2972-18-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2972-25-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download