0511ecae6f47560c9ed8233d94f06aafd67146aa1d58b0a2c39835b6f96e2f7e

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe
Size

76KB
MD5

de0689614f54ac3a9b7d6d84f4a1445f
SHA1

2bdf803cb0de9304c2660ec441f2773042ba272b
SHA256

0511ecae6f47560c9ed8233d94f06aafd67146aa1d58b0a2c39835b6f96e2f7e
SHA512

a0a7d5de98dedd5258fcf6a21f6984b6070ecb06f1b8c665a5b2366f5b9271a0cf46fa2870575526e7c581cb2d287e62cbe4892c46f8bbb8c84187b4060fd92f
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1siMOJB:X6a+SOtEvwDpjBZYvQd2R

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cb1-13.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cb1-13.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2712	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2712	2768	2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe	28
PID 2768 wrote to memory of 2712	2768	2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe	28
PID 2768 wrote to memory of 2712	2768	2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe	28
PID 2768 wrote to memory of 2712	2768	2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_de0689614f54ac3a9b7d6d84f4a1445f_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
76KB

MD5
97a0a5f378ad4a9a79968ca5a3c1450c

SHA1
d6d54975bf7c3e6c2fbcaf3b6c07fa6a90a80f2e

SHA256
7249f47e181df42eb055c92e3eaee4083604a827b5802105b24c3605e8e05ff1

SHA512
3c69fa193e1a45a5270aa32d334c03a3a134662041e8377933b268e2047e5902adec2daadd107d832bb05bb2e1b49b3b5a4f1549b2cd03bd0fddd6843abeacb3

Download Submit
memory/2712-15-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2768-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2768-1-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2768-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download