326a6c1da063e018754d548f3cd83745a72e946cad61a4660366055794db184d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe
Size

34KB
MD5

ee681e474db265b1276f463bc84e37ce
SHA1

c8fa7ed053e63965c021069b0d567e4e389d65b1
SHA256

326a6c1da063e018754d548f3cd83745a72e946cad61a4660366055794db184d
SHA512

588b9e2fa39b96543ea5238dd080a0f3c76043aa736da3c5d287ebbc3adf41e8510871d597870cf57347022da2aab7fd0542fb4e9b4b7e4a46f78bee1fc079a5
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUqMV6U8zKvGaLLA+j:bA74zYcgT/Ekd0ryfj86U8zbCA+j

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015626-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2140	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2884	2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2140	2884	2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe	28
PID 2884 wrote to memory of 2140	2884	2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe	28
PID 2884 wrote to memory of 2140	2884	2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe	28
PID 2884 wrote to memory of 2140	2884	2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ee681e474db265b1276f463bc84e37ce_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
34KB

MD5
58d91cb8939e1cefc4d56c5de3009e3f

SHA1
ea0e7be0f01b7fc009475309706cd23d06971153

SHA256
5a50a199debe29a395fc22e09167dab7b55dc9177a0f58fe35e75a4b3c89cd20

SHA512
2195b6989582aea4fbfccce60f02ee7719276639dca0f53aa9f3170da8682f09b71ba1cbdcbe3708dce221c4be317cdd66dfb2b03ff612becbf34c3f661dcf84

Download Submit
memory/2140-15-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2140-17-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2884-0-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2884-1-0x0000000001CB0000-0x0000000001CB6000-memory.dmp

Filesize
24KB

Download
memory/2884-7-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download