0faf85def308d9f66e131c51ebd2337c97ba503ed6aaced5370f97330309ed91

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe
Size

42KB
MD5

4a4186f2a3351a0a04302df89f0b0145
SHA1

57665fdb8610d34ee1c6529f8f0e10aab099b6d8
SHA256

0faf85def308d9f66e131c51ebd2337c97ba503ed6aaced5370f97330309ed91
SHA512

7b96cec51b2afa5de002a20fa3d5e82e29800f722ab38e214e766c6833e49ffdb8bfe8841c0fba026e403b660a9bb1549e7d7d978b7077d08481c26ce2ea41fe
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5k:bgGYcA/53GAA6y37nG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223f-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2796	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2796	2836	2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe	28
PID 2836 wrote to memory of 2796	2836	2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe	28
PID 2836 wrote to memory of 2796	2836	2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe	28
PID 2836 wrote to memory of 2796	2836	2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_4a4186f2a3351a0a04302df89f0b0145_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
42KB

MD5
ab24b9152f383788b3f635a18aa19950

SHA1
2aedc977d3d61d07b623ad9dcfa7c9ce81f68b56

SHA256
4d7ab1fb0f151b6a4ef8e399ab5e1c81582baceacf96bf5a9b5518803d1cf129

SHA512
d4a52e70499248427aa3ddcf7a3708495792e6fdeb602fad0541d68bd98850ace9f870b042e25f517cbf79fb500e800f15dc1355c496473e60eb228926a39864

Download Submit
memory/2796-15-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2796-17-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2836-0-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2836-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2836-2-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download