Analysis
-
max time kernel
0s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe
-
Size
30KB
-
MD5
a6216aa1a1cd6f1b286fcd26ac73594b
-
SHA1
19422828ba1110ace4821b8cb9d162914a308e08
-
SHA256
509ad50cddd2a5642381c57c4ae4fa800ca508c968532d7299e8691991dc2c10
-
SHA512
7cdb686d2e8ad6dac8a7fd7290482fd272a129b84df88a6f50400692eaed1a42dfdf5b59c9b712a86eeaed320f243bc4999bbd3cf5a3c64bb2f3d6430ad7ce1b
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIYvxF:bA74zYcgT/Ekd0ryfjPIunvvxF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2000 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 1984 2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2000 1984 2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe 16 PID 1984 wrote to memory of 2000 1984 2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe 16 PID 1984 wrote to memory of 2000 1984 2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe 16 PID 1984 wrote to memory of 2000 1984 2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-01_a6216aa1a1cd6f1b286fcd26ac73594b_cryptolocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59c2477d659e4c40e2472cb4832f4f5fe
SHA1404f9b934bf6ef1b18116bd2a861a04d072f7752
SHA25630ab8df775cbc0d522cb06ea2a9966abe493d115a726bbb1e3a29c958c600221
SHA51298235e95a9f1c8388635839f2ff5cc7bd5c8b465d0a219bd91c4c0169b445bc567fd0cc4ee967ae9f8489ab7066674374bbe1fca862ced8c7128d4dde4121396
-
Filesize
30KB
MD5ebd7ba5e2a3aa33d822f655b9d3f836b
SHA1cf91c5a39a982fb0bb86adc5cc0a04f20b6270e7
SHA2563aba53ff0641b8d43b074c039e5a77c9a404ffe8b1e9a2eb39dce10aeba0f716
SHA512c868efa1e7cac35c3a84385e32b6c3fda6cb57a88e313670c23bdfc067d0fe29dafe7b2b26c09f5534fb04b5f4906385ed6b792f7f419ea2a04eeccd6d6be8ef