509ad50cddd2a5642381c57c4ae4fa800ca508c968532d7299e8691991dc2c10

Analysis

max time kernel
0s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe
Size

30KB
MD5

a6216aa1a1cd6f1b286fcd26ac73594b
SHA1

19422828ba1110ace4821b8cb9d162914a308e08
SHA256

509ad50cddd2a5642381c57c4ae4fa800ca508c968532d7299e8691991dc2c10
SHA512

7cdb686d2e8ad6dac8a7fd7290482fd272a129b84df88a6f50400692eaed1a42dfdf5b59c9b712a86eeaed320f243bc4999bbd3cf5a3c64bb2f3d6430ad7ce1b
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIYvxF:bA74zYcgT/Ekd0ryfjPIunvvxF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2000	1984	2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe	16
PID 1984 wrote to memory of 2000	1984	2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe	16
PID 1984 wrote to memory of 2000	1984	2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe	16
PID 1984 wrote to memory of 2000	1984	2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe	16

C:\Users\Admin\AppData\Local\Temp\2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
1KB

MD5
9c2477d659e4c40e2472cb4832f4f5fe

SHA1
404f9b934bf6ef1b18116bd2a861a04d072f7752

SHA256
30ab8df775cbc0d522cb06ea2a9966abe493d115a726bbb1e3a29c958c600221

SHA512
98235e95a9f1c8388635839f2ff5cc7bd5c8b465d0a219bd91c4c0169b445bc567fd0cc4ee967ae9f8489ab7066674374bbe1fca862ced8c7128d4dde4121396

Download Submit
\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
ebd7ba5e2a3aa33d822f655b9d3f836b

SHA1
cf91c5a39a982fb0bb86adc5cc0a04f20b6270e7

SHA256
3aba53ff0641b8d43b074c039e5a77c9a404ffe8b1e9a2eb39dce10aeba0f716

SHA512
c868efa1e7cac35c3a84385e32b6c3fda6cb57a88e313670c23bdfc067d0fe29dafe7b2b26c09f5534fb04b5f4906385ed6b792f7f419ea2a04eeccd6d6be8ef

Download Submit
memory/1984-8-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1984-1-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/1984-0-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2000-22-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2000-15-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download