1038b719b09acd92fc1104707d0f23689a2a658bf6155e81909142c5f9eb7663

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe
Size

40KB
MD5

628d4eb9db09a76ad90379fe738599e7
SHA1

15b949f51b00c9add59cf2d82b1332d3e23ed316
SHA256

1038b719b09acd92fc1104707d0f23689a2a658bf6155e81909142c5f9eb7663
SHA512

1582c49c6dab8e0920a669d6d8558e5f3cb69c9de82ff53c64c219c2f62b9ca87ac42d61596fb562666d40fdd420796123cb0c011ea7a465da1c64b627503e53
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITY/8:qDdFJy3QMOtEvwDpjjWMl7TZ

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c000000012274-11.dat	CryptoLocker_rule2
behavioral1/memory/1928-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2748-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2748-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000c000000012274-11.dat	CryptoLocker_set1
behavioral1/memory/1928-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2748-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2748-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000c000000012274-11.dat	UPX
behavioral1/memory/1928-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2748-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2748-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2748	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c000000012274-11.dat	upx
behavioral1/memory/1928-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2748-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2748-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2748	1928	2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe	28
PID 1928 wrote to memory of 2748	1928	2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe	28
PID 1928 wrote to memory of 2748	1928	2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe	28
PID 1928 wrote to memory of 2748	1928	2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_628d4eb9db09a76ad90379fe738599e7_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
40KB

MD5
6a75641f4a6ac5aaf3f7319c891a65e6

SHA1
4c87ffa76e019ef26d7ac2e03c53ae2629321690

SHA256
a11b23bc50bef2de01d7264939a54442d13c91f3631ba7aac59313eb32112a81

SHA512
6959da4da2cde7d0ea46b8655dadb1d34d864c3b88ab16f41d17ee4bb10736e24e9f60b6dd52b8480dc537f5b41b7ae72c5108a482b50a63d14150581d545d74

Download Submit
memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1928-1-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1928-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1928-9-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1928-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2748-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2748-19-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2748-26-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2748-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download