8a167b172a5c142e42bbb53364ab1384589f7ce3c88de1caa7f4b9f37e72add2

Analysis

max time kernel
1s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe
Size

42KB
MD5

196d62f3ad961b348d8ec9706d1f5f89
SHA1

4da3a7c13d1f41125204a11e3e5a1075ddd4f836
SHA256

8a167b172a5c142e42bbb53364ab1384589f7ce3c88de1caa7f4b9f37e72add2
SHA512

0232948e30c7ba2ea44dfed02ae0680ef50cd4b9ec94ac8e2f9f23b6c80fa233b74ec657602ef2825af25647a467d7f38cf274ab1b33701d11b4ebe07661d780
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5zx:bgGYcA/53GAA6y37nL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1468	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1072	2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1468	1072	2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe	17
PID 1072 wrote to memory of 1468	1072	2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe	17
PID 1072 wrote to memory of 1468	1072	2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe	17
PID 1072 wrote to memory of 1468	1072	2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe	17

C:\Users\Admin\AppData\Local\Temp\2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_196d62f3ad961b348d8ec9706d1f5f89_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
18KB

MD5
95195896fa09849b50f7367039757c1f

SHA1
0962c923d533f1d761bb55f3f39dd19699784fe9

SHA256
3f7bebcd03270c27b670a2e3a9735cb6ad37e3f2da5b3089222e7c788d193316

SHA512
73bce7739ea5cf76f2c5733e9c46c1f0b7aa4080cc80dd0029695d80b7cb7df84c01860f068c83ef7a1b656f88112f5db9f0df5aa0d24b8741bde3382b081959

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
9KB

MD5
261cc6d3c9f46032079c846d143db5ab

SHA1
b0c6ed3921e8126dfa4fd4f60a2dc6f71d3fa350

SHA256
b72351528083bcff875f15f3dfbd9548e61b2205a5b21726954a82d199679bec

SHA512
aa431b10d38a9083f8df654d2bd0f57dd4707e89bfdd3b2234dac471e5dc85b6e03e9227ff3cb99366473349e9c9a021166f003a4edaa0e654cb4b1061cdbdff

Download Submit
\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
10KB

MD5
e7ed3e9a594770d71de96b2bf78d23f4

SHA1
2c891cbb52b54650ff7c71ea4402d421cdf4b618

SHA256
7818dc5e3ce030df6a77ef95fe5a76d6264bb8c279aa66bfffbfa7b7688df0ae

SHA512
a73c7bd0fb716d7c15d38fddbfb8cc386ce3ff8d879f60fd28d50311f4eebe5229c750736d91d13f51af34ddf99a74d5a12a651194d3b2d5976a6d93e9d9c8d8

Download Submit
memory/1072-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1072-8-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1072-1-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/1468-15-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1468-20-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download