f2ea060be826a55cf54d85f7ec7b75dcf53502bae32dec4f189ac350029a8989

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe
Size

31KB
MD5

658f8d8041eade3274e243ef4ec6d382
SHA1

2ecd719e20c2ff0d1b9a639975571c303c989297
SHA256

f2ea060be826a55cf54d85f7ec7b75dcf53502bae32dec4f189ac350029a8989
SHA512

2f1fc253d5dd0f4635a3627b79aa2d0ccf541eb9e1075ae839c6bcdc0f266182ca399e19305440c279f4a03b0065e025774975715bc9fe68bd778d347af556c1
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJ/Tl+bltoGk65P:bA74zYcgT/Ekd0ryfjQRSlwltYY

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014909-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2884	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2884	2212	2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe	28
PID 2212 wrote to memory of 2884	2212	2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe	28
PID 2212 wrote to memory of 2884	2212	2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe	28
PID 2212 wrote to memory of 2884	2212	2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_658f8d8041eade3274e243ef4ec6d382_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
32KB

MD5
245845f35a0f04df4a5633410b77e77c

SHA1
e944d9491dcb9a9bc3a5a1c2efdfdb9567aba972

SHA256
c80a03f54620b847f5bb38ae346ff51e16f2fd655b87ff703892e7ad769dd7ef

SHA512
ffea34870201b7d6344cfbd254bae46fc71f64e48ba1310b821c1e72b863bcf61f23f297753ca72afac78d543a4b5f52bf3b8964219bdf5211d9dbb762a5cbfe

Download Submit
memory/2212-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2212-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2212-1-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2884-15-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2884-17-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download