8ae7d91b42e261cab4316110ea9b7137cf2f9a0b499a1a282dc18fbb6b5db2d4

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe
Size

385KB
MD5

21d7c1ffa3b91a46ce25af6ef8d1668c
SHA1

845543e03aa755c3343df53d1555bf03ffa13408
SHA256

8ae7d91b42e261cab4316110ea9b7137cf2f9a0b499a1a282dc18fbb6b5db2d4
SHA512

50ccdbe9cc036a85a95b0866c6fe3ddebb9988e13f44dade158b66204aa60c40812c6e7ba62235acfe9e5aae5bd15e1844da31d0e1cef480c3d2934c302597d0
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXD:nnOflT/ZFIjBz3xjTxynGUOUhXD

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012251-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2144	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2144	3020	2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe	28
PID 3020 wrote to memory of 2144	3020	2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe	28
PID 3020 wrote to memory of 2144	3020	2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe	28
PID 3020 wrote to memory of 2144	3020	2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_21d7c1ffa3b91a46ce25af6ef8d1668c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
385KB

MD5
b81ff67399672c46a4700acceb2c4f12

SHA1
ef183f99ceea0c89b89bc7be6e4ac36c2ece9a6d

SHA256
486710d7b9fa94cb6747851e0e67c5ae64ddcf0317861b4e71d1c62274efa384

SHA512
e65704300f5bb14333b979f939f80e085ca554b376c943acf8a5deef63e9742e9103b3f7acf23d51825170c6142efefe2f173459c7a6a5e36660aa4cd3d47da8

Download Submit
memory/2144-15-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2144-20-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3020-0-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/3020-1-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/3020-2-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download