f81820375a3cb9689a8018cd7b35a8aa9df8dc26f32099c88150cb0113bd2878

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe
Size

51KB
MD5

1346f7b2fddeee80a812cf4b9da9fd87
SHA1

72e5e4d816c151000a78034db058d7a90caa6588
SHA256

f81820375a3cb9689a8018cd7b35a8aa9df8dc26f32099c88150cb0113bd2878
SHA512

d30e391e4b94dbfff0bbabf4ce44731825ca616a392cf4ce865034880df48e42d08927452631a4c1f9a8161d97e4d4268fff5e8949a9143b034b4ea52bea7757
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6dIKld5CS4GjtY:bgGYcA/53GAA6y37Q6dI+d5QGZY

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2176	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2176	1676	2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe	28
PID 1676 wrote to memory of 2176	1676	2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe	28
PID 1676 wrote to memory of 2176	1676	2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe	28
PID 1676 wrote to memory of 2176	1676	2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_1346f7b2fddeee80a812cf4b9da9fd87_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
52KB

MD5
768e2065f7a1a9d140bbc328f1dac1c9

SHA1
1dc462e75feec8d562ec663f7c9bed9c248a257b

SHA256
86ae2e0f32e2baa5921d73b20f07f33528aeea725600b434a3f4d4b170d9c15f

SHA512
6fa35f4cb695b73a692621dd6cb3682e2b83781934fce7943478ca6a25602a0500b7dca1f9ea77bdac028e8af119f74748211ccc5ac4797089d399dfb2233f98

Download Submit
memory/1676-0-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/1676-1-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1676-3-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2176-15-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2176-22-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download