419d25c8d0aafe1160898ff4c4a4371f52becf30c4e6f4a10e71eb2277766606

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe
Size

44KB
MD5

7e1afb57e74bdf8a882730af4d27b7ac
SHA1

f4b30824bdf4a6c54430a5a391d5bd0a7ab08143
SHA256

419d25c8d0aafe1160898ff4c4a4371f52becf30c4e6f4a10e71eb2277766606
SHA512

ebc1d3a6cac0845f0365e0321c6c99eaa4913eafcb6215e1db3ca0d2022ab64973711fca7d82af3952dfb1233d1f36be91ce4f9d8d57f00e621b97c2ffe3d870
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9Hxd:X6QFElP6n+gJQMOtEvwDpjBmzDkWDt7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012028-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012028-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2856	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2108	2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2856	2108	2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe	29
PID 2108 wrote to memory of 2856	2108	2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe	29
PID 2108 wrote to memory of 2856	2108	2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe	29
PID 2108 wrote to memory of 2856	2108	2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_7e1afb57e74bdf8a882730af4d27b7ac_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
60103b72019ce80275e08961c003c871

SHA1
24fab9b9e989c89e953354410bbb0d16ce6ddb01

SHA256
ac14497bed9bc32646bf12df3bf2b19ca1c0a3c2c354344b2fc9d869e044a555

SHA512
60cc69324797d70cc546e573759e1da4a1be23425e3b73c3ed225bc6c1f4d32393bd559e21c7b337036e992a46f56caf6327d9b0b53a39e76a4c805ba196cd9a

Download Submit
memory/2108-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2108-1-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2108-8-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2856-15-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2856-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download