4925ff3f0ae784203ad23c96961e12af0a1be77a15b48a5ec38900266336f146

General

Target

2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe
Size

78KB
MD5

9e97e5d32f03bfbee944a92e6638912f
SHA1

7cdd61c612ec91289d04e65b6219fbbc49d25ae3
SHA256

4925ff3f0ae784203ad23c96961e12af0a1be77a15b48a5ec38900266336f146
SHA512

5d27c449a804611261c17e7025ffc7d28c2dd91c26c7040a5edef20ffc03d1b04652e927f3ed329e6334a98f47fe75f8672aa9ddaf0ee4dd1ac4f5f91be91450
SSDEEP

1536:T6QFElP6n+gxmddpMOtEvwDpjwaxTNUOAkXtBdxPUxJ:T6a+rdOOtEvwDpjNtHPy

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d000000014698-11.dat	CryptoLocker_rule2
behavioral1/memory/2856-13-0x00000000006A0000-0x00000000006B0000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2856-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1744-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1744-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000d000000014698-11.dat	CryptoLocker_set1
behavioral1/memory/2856-13-0x00000000006A0000-0x00000000006B0000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2856-15-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1744-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1744-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000d000000014698-11.dat	UPX
behavioral1/memory/2856-13-0x00000000006A0000-0x00000000006B0000-memory.dmp	UPX
behavioral1/memory/2856-15-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1744-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1744-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
1744	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2856-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d000000014698-11.dat	upx
behavioral1/memory/2856-13-0x00000000006A0000-0x00000000006B0000-memory.dmp	upx
behavioral1/memory/2856-15-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1744-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1744-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1744	2856	2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe	28
PID 2856 wrote to memory of 1744	2856	2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe	28
PID 2856 wrote to memory of 1744	2856	2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe	28
PID 2856 wrote to memory of 1744	2856	2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_9e97e5d32f03bfbee944a92e6638912f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
78KB

MD5
7dc6d2eccb684c13bf21520f0893deeb

SHA1
50b392369f071c3d9e9bff4893f920a7ebab053a

SHA256
c6760675ca36d16262e59905c92c0206b63eafd1bc1fba9eb3c3146f458af365

SHA512
23721ce8aedd73f6cf60f26ceefcad5c3f7dd0729ec26db985ae3bd5a6983e3a14ad6a884014d063584ded3f4dfd905f648b8805e85af4c92614c2e5d9fb26be

Download Submit
memory/1744-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1744-19-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/1744-20-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1744-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2856-1-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2856-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2856-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2856-9-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2856-13-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/2856-15-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing