97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:33

Target

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
Size

39KB
MD5

53e97dd5c4e5d82ab023e6aa7045487e
SHA1

9d0f007c030a37c40dfeb9f895477ca031d1f82c
SHA256

97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008
SHA512

55a24f91b015c4374b8db4bae78f17dbea161a80c1f9ffff04821c80e95bafdf270157c2a5d7fd395aed3871a41800dd21a4470aa5ee3bbf9f47bcbe97992900
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+qZw7pM:bgGYcA/53GADw8ClqZw7pM

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hasfj.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

288 hasfj.exe
Loads dropped DLL 1 IoCs

Processes:

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

pid process

2612 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
288	hasfj.exe

pid	process
2612	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

description	pid	process	target process
PID 2612 wrote to memory of 288	2612	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe
PID 2612 wrote to memory of 288	2612	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe
PID 2612 wrote to memory of 288	2612	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe
PID 2612 wrote to memory of 288	2612	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
2⤵
- Executes dropped EXE
PID:288

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
Filesize
39KB

MD5
79d4f336c64449c2fcf225ee3a73b9ee

SHA1
e20a603fe363a6061b05c5a6c22cf1b51be7b69b

SHA256
c492f4c4ceed311a602dbe5bba80664e1dd76c4e572ef014294f6c4ef4f58c32

SHA512
f94530dab1d5c64bc9ec988cfcb4bd63ed52ca2e44ddf94ddf43daf6cab9e093f709df2359aa0a462ee3024f01ee960a95cf96ad1bf4441783b707b980c88fe5

Download Submit
memory/288-15-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/288-22-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2612-0-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/2612-2-0x0000000000890000-0x0000000000896000-memory.dmp

Filesize
24KB

Download
memory/2612-1-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download