cf45c24d484f566eeadecf553a90122632f7c2c5e57a8276f056d5c5ce06ff9a

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe
Size

39KB
MD5

731579c183dce7462015abb58b606d9c
SHA1

30ca7469a59fbbe1b168f1d97183aae671260761
SHA256

cf45c24d484f566eeadecf553a90122632f7c2c5e57a8276f056d5c5ce06ff9a
SHA512

493210561c6f0d4c004b42e3e78dd7bc58bcd60abd4a187040bceccda3ea145b5225542546a419910694093ebd9b7b647cecdbfcd72da0148e617af8544e3805
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDDw3sCu529hyn:bgGYcA/53GADw8Ch94

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2220	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2220	2888	2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe	28
PID 2888 wrote to memory of 2220	2888	2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe	28
PID 2888 wrote to memory of 2220	2888	2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe	28
PID 2888 wrote to memory of 2220	2888	2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_731579c183dce7462015abb58b606d9c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
39KB

MD5
d15b15033fdc535f0860c3c1446316a5

SHA1
522fc4ee37d5483be5ca4d64fa8a4531b50b3ac8

SHA256
8009c3765f4d7ec5dfb3b62870c54a12cea7503ad79c51858f2d8929ad551175

SHA512
3cde516565a6e40b974f76732867c76fa5979215784875fa3467454bdfe285d24b7c17492aa9050e26bbeeb6c39abb54e53ccd130fe03fe1163ea536088b0deb

Download Submit
memory/2220-15-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2220-22-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2888-0-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download
memory/2888-1-0x0000000002D00000-0x0000000002D06000-memory.dmp

Filesize
24KB

Download
memory/2888-8-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download