912f85a5faa8792df70940d31ac4f5782c3b2452438b3d076c043a501a2b055f

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe
Size

36KB
MD5

ce3ad4599bc5b0639439dae16b89fb3d
SHA1

d38ee1e0734fdad998587609be04d651ac61aeb3
SHA256

912f85a5faa8792df70940d31ac4f5782c3b2452438b3d076c043a501a2b055f
SHA512

1c2bf192d3ac2e237813ba21d1734073427df9ce4b686e51363628d92a9abeb9282d41d5d21a7062e4ec3901e9b2418139a2a6966a2fd0db91f082bb681d292b
SSDEEP

768:q7PdFecFS5agQtOOtEvwDpjeMLZdzuqpXsiE8Wq/DpkIT3:qDdFJy3QMOtEvwDpjjWMl7T3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1916	2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1916-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000a000000012286-11.dat	upx
behavioral1/memory/1916-13-0x00000000004E0000-0x00000000004F0000-memory.dmp	upx
behavioral1/memory/1916-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2792	1916	2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe	28
PID 1916 wrote to memory of 2792	1916	2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe	28
PID 1916 wrote to memory of 2792	1916	2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe	28
PID 1916 wrote to memory of 2792	1916	2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_ce3ad4599bc5b0639439dae16b89fb3d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
36KB

MD5
9ee96d436bc9977b9216966ca2d6a476

SHA1
813f53a91400970bdc494eb7bd41d965d149bdc3

SHA256
831d611897c16174f61971ba3f85552e391f25cac116c41b36a73f7c1237dbd1

SHA512
390a887c51fdc94c7a04d887cb33500928ef08dfdc2e87243a0dab47aeef50d6645a790a5039b94a980f229f0760dd7504f2d4072ec03c4eed51951bee368537

Download Submit
memory/1916-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1916-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1916-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1916-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1916-13-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1916-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2792-19-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2792-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2792-26-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download