458ff5047e76020dff2181577c4714885a03080c360a6377f58813db268b9c38

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 17:45

Target

2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe
Size

32KB
MD5

9cd29ba79ff7818d50312eb8e7b45a9f
SHA1

3c18a1ec3d1a601f88e8852aa5a2ac2feb935e1a
SHA256

458ff5047e76020dff2181577c4714885a03080c360a6377f58813db268b9c38
SHA512

f9862864653e4c490a22f923c71be7d10afc8d87ef648db150ecb3bbe3ead974120f7dc30d1b8dd480b2e5d44ee7ef8ff64c27d4fad6ffee060697c91546e1ca
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJXTQke8SDSCCt:bA74zYcgT/Ekd0ryfjQRSNhpSDM

Score

9^/10

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hasfj.exe	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

2688 hasfj.exe
Loads dropped DLL 1 IoCs

Processes:

2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe

pid process

1632 2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2688	hasfj.exe

pid	process
1632	2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe

description	pid	process	target process
PID 1632 wrote to memory of 2688	1632	2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2688	1632	2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2688	1632	2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe	hasfj.exe
PID 1632 wrote to memory of 2688	1632	2024-02-12_9cd29ba79ff7818d50312eb8e7b45a9f_cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
2⤵
- Executes dropped EXE
PID:2688

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
32KB

MD5
5bd944ce128c3f6fb2447cc170ee878d

SHA1
98b24d9e7f517ee1610a55342920a373a714906f

SHA256
d14a3bf99f88d3ae1a6a00aa0196cb00b91c2ae2eed39b7b63174656add46d29

SHA512
bfa2054c2ec81d8a34ae8b99e4c6d38649477c867b2078a51b73d4cb4ea62a31d57fc3b520db7835f8abd1ab1dbe1f96c719c7197973aac550cac11e91b8a066

Download Submit
memory/1632-0-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1632-1-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/1632-2-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/2688-16-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2688-15-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download