e0c56a40b6f49441d2b5e42e9a0f2b0de0ac66b98a5c0ab9698e4d42760c2564

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe
Size

385KB
MD5

2fcd5268985693fa241f9f34b8e1bd63
SHA1

c4650b01d518fe1f4c706f55b50cec2a2472f20a
SHA256

e0c56a40b6f49441d2b5e42e9a0f2b0de0ac66b98a5c0ab9698e4d42760c2564
SHA512

722b40fcfe7c69da1d96b083609e005062e91f9b2928180b5273eb34b6317828ff162ae165e3dd7f79641c9befb97cc921fb1f9d6afe40f3f88b3e9a30e410f4
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzX4:nnOflT/ZFIjBz3xjTxynGUOUhX4

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224a-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2876	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2876	2772	2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe	28
PID 2772 wrote to memory of 2876	2772	2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe	28
PID 2772 wrote to memory of 2876	2772	2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe	28
PID 2772 wrote to memory of 2876	2772	2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_2fcd5268985693fa241f9f34b8e1bd63_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
385KB

MD5
305195a94c3969b7995a49572983faf8

SHA1
419d08b024ca1d7cc5af7940111f25241070b286

SHA256
9bc6d556caa439d2837b650a7c5b14db89b59f61b9106eff75138d48a8bdb3eb

SHA512
41523757da633d939b0782ab42a1db42af3bad12da77e6db849f7e74a6827c74199e1f3ee99294d638662cba8be1b9add5e4f2014d9f353fd24d11d4074b02a8

Download Submit
memory/2772-0-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2772-2-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2772-1-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2876-15-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2876-22-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download