968f897f4909bb65d5e17c0d754345449de529707ed80c9156cc46ee209bc44c

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe
Size

55KB
MD5

e56fa1a5bf87c7b85bb705a0ce5cdb7c
SHA1

8b237777934b67933da11c03cfe494768023e10c
SHA256

968f897f4909bb65d5e17c0d754345449de529707ed80c9156cc46ee209bc44c
SHA512

7c02241002b2c7163f475b26671874c487b32691ea02bd98f741a8cc6c45980d9eb801b91485601eb2b5e8a67b4d73eb46edf597783f711fd960710e926ef8e0
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vxmlcaTIE0:X6QFElP6n+gJBMOtEvwDpjBtExmlc

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227e-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227e-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
2604	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2604	1736	2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe	28
PID 1736 wrote to memory of 2604	1736	2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe	28
PID 1736 wrote to memory of 2604	1736	2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe	28
PID 1736 wrote to memory of 2604	1736	2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_e56fa1a5bf87c7b85bb705a0ce5cdb7c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
55KB

MD5
7acefab3d7c73bbc62f80516b33830e3

SHA1
59dd8224b5e1444d5d9c7bb144179aca21915743

SHA256
32670f366be030b9e19e2066efed7ac575b2f74e68f2138bbb6e71c86dba2c9d

SHA512
820420a507249d33a03d87b3ffd4cf4c0cff8f6b61f601048397d226f0fa5068a0d262845b2d0b3abd117e78036b4711248445e6a77a905d08713c3b8068a782

Download Submit
memory/1736-8-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1736-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1736-0-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download