9a5bc3594ecff0dd920ebf802e5f0faac08b6809cc0e1c01fb4191be5ee6b2a0

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe
Size

53KB
MD5

9198a14cbca053677ba8f2da25feab25
SHA1

16b80ce970f62267da41ea1b56ee25aa75cb73e3
SHA256

9a5bc3594ecff0dd920ebf802e5f0faac08b6809cc0e1c01fb4191be5ee6b2a0
SHA512

010b5e72c5474e9305d4b21591516dc866cb0faa36fb7dc601315b50e6a1be6acccebe892461d3acfb78dfb6e33a6358ac4c3fa2745d3c54556ce24ed10baac6
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OTOo:z6QFElP6n+gKmddpMOtEvwDpj31io

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1096-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c000000014f71-11.dat	CryptoLocker_rule2
behavioral1/memory/2020-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1096-14-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2020-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral1/memory/1096-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000c000000014f71-11.dat	CryptoLocker_set1
behavioral1/memory/2020-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/1096-14-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2020-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/1096-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/files/0x000c000000014f71-11.dat	UPX
behavioral1/memory/2020-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/1096-14-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral1/memory/2020-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2020	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1096	2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1096-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000c000000014f71-11.dat	upx
behavioral1/memory/2020-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-14-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2020-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2020	1096	2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe	28
PID 1096 wrote to memory of 2020	1096	2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe	28
PID 1096 wrote to memory of 2020	1096	2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe	28
PID 1096 wrote to memory of 2020	1096	2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9198a14cbca053677ba8f2da25feab25_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
53KB

MD5
136e5cbc03ab8a25d9bfe1cfb834f428

SHA1
11baa1e975d5e71273ed9ebf29892664901713d9

SHA256
cb86480be181598fc0e542ca0996f36697ddf79efe1e8c88df7dadc3e99d24aa

SHA512
2bb051b94d428e9c202cabce7cd3d4fd1a25482f9e9d61749ed3f1887674df7ff43492d783db8e5cd36d157c7fedc7a9de04fb65e607b44c45301d07ad9b1e75

Download Submit
memory/1096-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1096-1-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1096-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/1096-9-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1096-14-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2020-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2020-25-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2020-18-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2020-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download