ae91a1c603b3c9b9a9b4587cd605eaaa383b6415ff78fa45141e2ad2081108fb

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe
Size

36KB
MD5

2e459f79f52e4ff3fa7ff903b2793f5a
SHA1

d462a28bd038ab691daad025338784e2f726a7d8
SHA256

ae91a1c603b3c9b9a9b4587cd605eaaa383b6415ff78fa45141e2ad2081108fb
SHA512

369ae2e85d0645ecda4c942157cf73004823251bcd7c1c5ea0c5839617884553dc22c45b6f717a683fbb9c613df02c37bbcfb46312ad8c973db51d8aa91628e9
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkITB:qDdFJy3QMOtEvwDpjjWMl7TB

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2436	2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000e00000001228a-11.dat	upx
behavioral1/memory/2436-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2360-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2360-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2360	2436	2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe	28
PID 2436 wrote to memory of 2360	2436	2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe	28
PID 2436 wrote to memory of 2360	2436	2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe	28
PID 2436 wrote to memory of 2360	2436	2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2e459f79f52e4ff3fa7ff903b2793f5a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
37KB

MD5
0ef4141e098e75b1bf567b8864962854

SHA1
d69d8b4ddf359876bd038967462d5e59a3d662b3

SHA256
d9b53468e8f2175071deba4e487fbcb56cfd16b57a7c5a3f5e8b596c0570d7c7

SHA512
a766cdc6155db4f968ae2657cb1f3b4963e838fded9d131818efbfdabf9ef8d5e4604107532a4691110dc9f3021f984f5daefef15ed70cd8ed7c8fe7ee4cd7c3

Download Submit
memory/2360-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2360-19-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2360-26-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2360-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2436-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2436-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2436-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2436-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2436-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download