5c49c19a2738ffe430ee00bcadece77cba67ef215d738285b02f94b7754569e6

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe
Size

47KB
MD5

7c692d44fdd0ada5f84366ea8d242215
SHA1

6f8650bb61fa0a00f5c0a46255da8c5f87ef44d3
SHA256

5c49c19a2738ffe430ee00bcadece77cba67ef215d738285b02f94b7754569e6
SHA512

8c7e34afc4253d083a00561e88bda8f57aecc054280bae8d7c08d1f436a231b8556b640c10fd2b5eef33f42162f51a867b332383e9d12c5aa084838b2abd1f77
SSDEEP

384:e/4wODQkzonAYsju5N/surDQtOOtEvwDpjqIGROqS/WccJVJwi2B5oCCM8CLW2Vs:79inqyNR/QtOOtEvwDpjBKccJVODvy31

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1692-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b00000001560a-11.dat	CryptoLocker_rule2
behavioral1/memory/1692-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1692-13-0x00000000008C0000-0x00000000008CF000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2908-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/1692-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000b00000001560a-11.dat	CryptoLocker_set1
behavioral1/memory/1692-15-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2908-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2908	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1692	2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2908	1692	2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe	28
PID 1692 wrote to memory of 2908	1692	2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe	28
PID 1692 wrote to memory of 2908	1692	2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe	28
PID 1692 wrote to memory of 2908	1692	2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_7c692d44fdd0ada5f84366ea8d242215_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
47KB

MD5
84f3fd07305823a625e8d343e401103f

SHA1
59999999924cd64a9d80184e5b4478d64d600586

SHA256
82da2734ce31c34789ccefa6fe135cc951067df27dde5e43e1b3a85ec4cf6fef

SHA512
76594c99bf66fb6f81008adcf06d3dda57f6c008a5d332c7b55ee84da7437ea64726869127e8923963972f09c936a5548ec826831eef9cec0ab08c04d0899bd6

Download Submit
memory/1692-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1692-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1692-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1692-3-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1692-15-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1692-13-0x00000000008C0000-0x00000000008CF000-memory.dmp

Filesize
60KB

Download
memory/2908-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2908-19-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2908-20-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download