bf3b32874bb1079272087a522b70b698493e14122ebc176d17e475f972ff0852

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe
Size

37KB
MD5

306a36fe1296cf1b772c80ca2a2618a4
SHA1

1856c31ffe4f6d4b6af6210939d06af879c58c4e
SHA256

bf3b32874bb1079272087a522b70b698493e14122ebc176d17e475f972ff0852
SHA512

bff0fd487cdcf5e74556cf459988138e78c81114ab3657730dd7cd5411fecb92ff2476a02db1ac8df28c861e7681063dcad8dae87d0ed6cbbd69d2cce1918c4f
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5cZnfXR:bgX4zYcgTEu6QOaryfjqDDw3sCu5mXR

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012320-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1744	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1744	2204	2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe	17
PID 2204 wrote to memory of 1744	2204	2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe	17
PID 2204 wrote to memory of 1744	2204	2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe	17
PID 2204 wrote to memory of 1744	2204	2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe	17

C:\Users\Admin\AppData\Local\Temp\2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_306a36fe1296cf1b772c80ca2a2618a4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
37KB

MD5
2478a4163c37b60dc2da4dfe8bf9385a

SHA1
24e72b2180c5f6048d3970d95a03a06788c0fc47

SHA256
37a67ecd6d515c738a233dc0f51949ecef58df2e7a563b31ac20432dd0174c2e

SHA512
d850c9282e951c340d2c22b8bd354dcd01298bb3762fb3da62f78d7be68020d16e283b1c53e9c0dc2a446f80dcf696280c3d920386e55adc8822b4c243bca35f

Download Submit
memory/1744-22-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/1744-15-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2204-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2204-2-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2204-1-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download