4cede9e851badc6be7b4e05b8721c9c3feb2b18002f6dc9f6e76143847ea6e99

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe
Size

45KB
MD5

1592f83bbe52fe1f280d6257755e1776
SHA1

0917eba72dd94c844cfea48a8dfb309aa1c3c9e2
SHA256

4cede9e851badc6be7b4e05b8721c9c3feb2b18002f6dc9f6e76143847ea6e99
SHA512

e775ff893c752daa9e44d4cf834312ba539c1d09794c04f581a127295dee484d9ad89622b4c2c06729a1abec6de04df702697b1f1a5727dee92852f60022369e
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9Hk2:X6QFElP6n+gJQMOtEvwDpjBmzDkWDtz

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122b8-13.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122b8-13.dat	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
1720	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1800	2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1720	1800	2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe	28
PID 1800 wrote to memory of 1720	1800	2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe	28
PID 1800 wrote to memory of 1720	1800	2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe	28
PID 1800 wrote to memory of 1720	1800	2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1592f83bbe52fe1f280d6257755e1776_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
45KB

MD5
5f375a25b1e53c933db4413f58a02e0d

SHA1
8db8d5697b0c138edf34bdcb184990788ae939a1

SHA256
93fd74498a9ba019e4fce9f5117115493e94ee1bfe0630a4c63f356267f96c76

SHA512
add4a2b4ff640df94016d74b918ed55dd31696c55bcca461ed627ec1ce9d03cf54b848c852d840b7d6e3e351132e34db916a69cd0e6de41aa346f04426814afd

Download Submit
memory/1720-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1720-15-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1800-0-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1800-8-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1800-1-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download