8c5065bf732c148aa9292b04dd2c8226f02a2c11270a35669c254756b802192c

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe
Size

40KB
MD5

68d80097f6fba1c5b91b7b8404b084aa
SHA1

b2886b3c05c0bbfb22fc6a717a1b3f8a0b709532
SHA256

8c5065bf732c148aa9292b04dd2c8226f02a2c11270a35669c254756b802192c
SHA512

884ec1601391bdc8c74cbb7ce4083e0175248c1fb1b0c9c9c717b8b021316c6e72de8f66eedb1824e9d36ac264a389eaec4776875c7490f9ba0daac9106d1243
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+rc5vVcFo:bgGYcA/53GADw8ClrcTcFo

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015f01-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1960	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
952	2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1960	952	2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe	28
PID 952 wrote to memory of 1960	952	2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe	28
PID 952 wrote to memory of 1960	952	2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe	28
PID 952 wrote to memory of 1960	952	2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_68d80097f6fba1c5b91b7b8404b084aa_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
40KB

MD5
f69a386d58c0d54b9a85378d483dcc40

SHA1
c116a40428c24a75433526b77595904e62f5c267

SHA256
230bf5afcd133608b10818d2252d3525ab35a3b780486e0bd0f0cb37c2143003

SHA512
04d7c019976e6ffbf099e5c66f17642dce186025b9767caf05558265e85246f3a57a39edd2a4f3ca070a7aba0218953cffaacdc9873b9a3bb76339ade65aabe2

Download Submit
memory/952-1-0x0000000001CF0000-0x0000000001CF6000-memory.dmp

Filesize
24KB

Download
memory/952-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/952-3-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1960-15-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1960-22-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download