89deb7c93801fb6ad1a343e0cb5344133e09ca27d8f308362553269643f30b47

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 12:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe
Size

4.5MB
MD5

6eb9432f3648130a07a96f3a5ebfda31
SHA1

02ecca996c9e3c734ac933241d5dbcb21869e1d2
SHA256

89deb7c93801fb6ad1a343e0cb5344133e09ca27d8f308362553269643f30b47
SHA512

dfe8f10d055548c2808412d452310330b47ca311861d41ca41b7f677fc0c3b6ba27ba9cf113f96773a44402962ee130b0c8e3d6e132c23889862a645b49d7af3
SSDEEP

98304:g/ZFIjBzldUfs/ZFIjBz7jSZD1tU7ymTV:g/ZFIjBzF/ZFIjBzPEUusV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-10.dat	CryptoLocker_rule2
behavioral1/files/0x000a000000012254-21.dat	CryptoLocker_rule2

Detects executables built or packed with MPress PE compressor 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012254-10.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a000000012254-21.dat	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
1528	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1528	3064	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	28
PID 3064 wrote to memory of 1528	3064	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	28
PID 3064 wrote to memory of 1528	3064	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	28
PID 3064 wrote to memory of 1528	3064	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
4.1MB

MD5
8586c2ca8398948e0f4189c2543540b0

SHA1
60f7aae35ad03c225e071f9eec67c63f6d50a713

SHA256
01bdce7903fbe3016c27c7357f128b1ddf61b1491fa400a56f33b0c1b1010dcc

SHA512
658ae4aa8234350429b53d0f011e6402468d2c1c50ec6d616897e7c359de532cd6312f20655b68b5e73a4c2f902f2f311e137920be4698a6ed6efe24e57485a2

Download Submit
\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
4.5MB

MD5
273181aeb7694153c5d8dd81d2522838

SHA1
66ea65ef238203bb13ddd503a68f26f088ef4899

SHA256
29278b9d202b64a65df72cb0cb2bcd48813a204e11510ff16d179f7426b43151

SHA512
8376f0482f272a15c83835d40524a7f3e97d3a81918f5dcfc321e735e685a1e3b5b50a4cb037ae485c81613f6dd0d9a1eeeb58d383f62b8717ad1890b0236457

Download Submit
memory/1528-15-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1528-22-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/3064-0-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/3064-1-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/3064-3-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download