cc981d82f6529faf583a250af4ce28437f8a5c69b6567338fc3c85d44917c230

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 15:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe
Size

46KB
MD5

031c07963921c0274bbfd86c9774ed46
SHA1

b7534c484f10df04ddcfe366cacd77f2bc280e76
SHA256

cc981d82f6529faf583a250af4ce28437f8a5c69b6567338fc3c85d44917c230
SHA512

09d0017a68be3de8968e3386715791795d294131067ad9f1a023c5dc281fe2e24ddc31c746383588724e896617c27bee400a226f58baff74a35a22f9c7999c26
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6IMhyG:bgGYcA/53GAA6y37Q6z7

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120ff-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2672	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
836	2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2672	836	2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe	28
PID 836 wrote to memory of 2672	836	2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe	28
PID 836 wrote to memory of 2672	836	2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe	28
PID 836 wrote to memory of 2672	836	2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_031c07963921c0274bbfd86c9774ed46_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
46KB

MD5
2339b49afc557a6d85ef529f604cc43d

SHA1
3dbcb303c2d5af08c42300da08339a9afdc7e361

SHA256
5d91bbce726ea88ef12232a22274bb00d7a62e4033b6438a23caa42f8aaf8780

SHA512
f5f788e7e82374c0e22bee791e534cfd348cee1ed8572cd83c8d4b71d82345aad5de2d882275df25d526964fef0d946de434b1bd65ec144f7977abdd20f98acd

Download Submit
memory/836-0-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/836-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/836-2-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2672-15-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2672-16-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download