ebe5f73ed9f2dfce29830d687c0fff2bdef3d5a30b84ee2b24348148fb7b0cf2

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:30

Target

2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe
Size

30KB
MD5

448cd77c0907643ee262e3c1a0b171c0
SHA1

a361483d6a0af007221c185b269fcd4abdd431da
SHA256

ebe5f73ed9f2dfce29830d687c0fff2bdef3d5a30b84ee2b24348148fb7b0cf2
SHA512

8f11108b97e8936a9b0435286dcb1fb2c38e30977ad4aae79c51966401a42fb396faf7f42b6aeb753b5637b216349f2024560a50afbce224b9f08426c3814712
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIyNc:bA74zYcgT/Ekd0ryfjPIunty

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hasfj.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

2012 hasfj.exe
Loads dropped DLL 1 IoCs

Processes:

2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe

pid process

1632 2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2012	hasfj.exe

pid	process
1632	2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe

description	pid	process	target process
PID 1632 wrote to memory of 2012	1632	2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2012	1632	2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2012	1632	2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2012	1632	2024-01-25_448cd77c0907643ee262e3c1a0b171c0_cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
2⤵
- Executes dropped EXE
PID:2012

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\hasfj.exe
Filesize
30KB

MD5
5ac7d792c7d6ff365c37728fde858ea9

SHA1
3429ebfc31463ce10b3d181cff02a30dd9947130

SHA256
c3069e7194a4eb01a2b80422a6ec4a99945e06cfccba597623998a5b1f1cc38d

SHA512
8e21e9040663fcf1a7122b19311875af73b5ca0ea5124735b77f698229032698ea681728a47536831d6b9318509b114265801f60909d2a26befa9a56cdc7f402

Download Submit
memory/1632-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1632-2-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1632-1-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2012-15-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2012-22-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download