48e695e1b5a97d04ebbef9b141addc66eee1ce5142a2513c52db410144ab897a

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe
Size

32KB
MD5

b37ca98196b3bdc60f9f78fdd24dc152
SHA1

da100e8cd93a58a106fd946371e803350cd2197a
SHA256

48e695e1b5a97d04ebbef9b141addc66eee1ce5142a2513c52db410144ab897a
SHA512

4f6608ad80d61b64d59ac32584d778b2ab3989d66cdf4f49d5e24d20758b95184cc5ac24893d86ad1233dfbfa418755bc315049ef6b99382fab932402281909c
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJ/Tl+6lt6Gqy4:bA74zYcgT/Ekd0ryfjQRSlpltF4

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001224e-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2568	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2568	1936	2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe	28
PID 1936 wrote to memory of 2568	1936	2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe	28
PID 1936 wrote to memory of 2568	1936	2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe	28
PID 1936 wrote to memory of 2568	1936	2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_b37ca98196b3bdc60f9f78fdd24dc152_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
32KB

MD5
03e119ff82f5fb7bde0372b5dfd2db16

SHA1
4eb9b970cf040be452b3b512ffcd90b25d985067

SHA256
e3a0f5f05a00109ae13513cd75671f0e327c981370dd67596f9190437e478320

SHA512
29e8924aea570e626966bc36af4d4952112d7116c5290cde6d8032ac7cf64deed1f36d730e1e33720798189dd7d6664f7ff38160ab94fd5d270e76a1196f828a

Download Submit
memory/1936-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1936-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1936-3-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2568-15-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2568-17-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download