66d946805e8280e2cf1cd88d5663a564642c3ac7c11f06a1df3bd331a8a1b4f4

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe
Size

74KB
MD5

02695b6ef13cc34c4d103281b682fbb1
SHA1

4dc84c0b8fb8e963a6353ad9476130c8155bda78
SHA256

66d946805e8280e2cf1cd88d5663a564642c3ac7c11f06a1df3bd331a8a1b4f4
SHA512

ea46481f8c6d279eac5bde66cad2be661dcbd4bdbfb999b652e2609a34bf4983b8919f7a85e5a09dabbf61554efc4e551eb9eb2dd61ee1ffb445b51990930f63
SSDEEP

768:u6LsoEEeegiZPvEhHSG+gZgtOOtEvwDpjeY10Y/YMsPxY:u6QFElP6n+gWMOtEvwDpjJGYQbi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012286-10.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012286-10.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1300	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1776	2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1300	1776	2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe	28
PID 1776 wrote to memory of 1300	1776	2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe	28
PID 1776 wrote to memory of 1300	1776	2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe	28
PID 1776 wrote to memory of 1300	1776	2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_02695b6ef13cc34c4d103281b682fbb1_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
74KB

MD5
e6e59989d3195a211aeef8d9da3b7698

SHA1
4ffd2e2370a7b998177b03e318687784432f9ff4

SHA256
249bed62e2cc9245a7f84905d668d88678041cf61e4e5b8ffb4dcdea4b835ace

SHA512
c4d946a12f42dd71300ff0ffef571c4eff33f4875c14d8134bae1b9e7933fa1256c7150dc84f4b4efaf6e6317d047cff25f50b42c447be96fbe74eb93216858b

Download Submit
memory/1300-15-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1300-22-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1776-0-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1776-1-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/1776-8-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download