7b846b11d4c31debe36dd2d1b0b30819d37fb3ce428e55d753baa8bbb54c9089

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe
Size

40KB
MD5

6144804e61bde7be3d7decfa3832d199
SHA1

c7c7bbedfc9b659ffeb8754cd50f4ee5f424d95b
SHA256

7b846b11d4c31debe36dd2d1b0b30819d37fb3ce428e55d753baa8bbb54c9089
SHA512

952d9322c52ced1e1a86a35d5e48234dacbdc5feedfabe670fcdd4411b99ec6adefcc3ef8c4827f8edcc452f515bf996f3de34b7407789a2635774d25939ddca
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDDw3sCu5mXW1Rb:bgGYcA/53GADw8C3q9

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2556	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2556	2868	2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe	28
PID 2868 wrote to memory of 2556	2868	2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe	28
PID 2868 wrote to memory of 2556	2868	2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe	28
PID 2868 wrote to memory of 2556	2868	2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_6144804e61bde7be3d7decfa3832d199_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
40KB

MD5
4f8f2a0a9b701934a6586c6311e2b203

SHA1
a1137165d9d8f003c0518dda1d991d2290052699

SHA256
bd2411fd86c1d2f8a17635b45170c043ffe8fb4b4debebb50777689e98ba6146

SHA512
0186a1a3b3c9dd0b9db2c4638a63f532469faa2d982c5fa667a20123b0eeb42737345430ccb94c032b876148a4b18ee9dabe0a64bc16f68e800089f3e911fb2d

Download Submit
memory/2556-15-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2556-22-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2868-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2868-1-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2868-4-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download