bcf67d327bb4cf2871b5a18f3e4aec798aa192e60f8ee4c70fbdb3c9eb3b5262

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe
Size

48KB
MD5

89c74df34772de1cb6fc16b79bbbaa01
SHA1

8fc5f4fa302147c88618798d26f7496e088aeb22
SHA256

bcf67d327bb4cf2871b5a18f3e4aec798aa192e60f8ee4c70fbdb3c9eb3b5262
SHA512

cbe049fe3365193334a5698ce7285d90a87f273f86da8cfd5ad3c1ea0581486599c7e712e6ce6200695b4ff977afcb6ab19a56ce35d1411b540940cf5426899e
SSDEEP

768:79inqyNR/QtOOtEvwDpjBKccJVODvccwDFW0R:79mqyNhQMOtEvwDpjBzck1W40R

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000014e5a-11.dat	CryptoLocker_rule2
behavioral1/memory/2192-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2552-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b000000014e5a-11.dat	CryptoLocker_set1
behavioral1/memory/2192-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2552-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2552	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2552	2192	2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe	28
PID 2192 wrote to memory of 2552	2192	2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe	28
PID 2192 wrote to memory of 2552	2192	2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe	28
PID 2192 wrote to memory of 2552	2192	2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_89c74df34772de1cb6fc16b79bbbaa01_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
a35a2621e8007f39cbcb23eb86b00299

SHA1
f80f0d936797074ef43db3d0f963ddd79e27bcbb

SHA256
358b971c0078d1fa135188f19ecfb8b2547c160a7a8fda21b5aaee6b49770df3

SHA512
1d3231a7046821a69460b3e1688b42554ca043b008a2940ced1dfecc94ec928f39e63cb00800e202fc552a4673d29a655b5e36c806ae9f3d502db1a5aa13c206

Download Submit
memory/2192-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2192-1-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2192-3-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/2192-9-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/2192-14-0x0000000002840000-0x000000000284F000-memory.dmp

Filesize
60KB

Download
memory/2192-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2552-18-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2552-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2552-25-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download