e3bf8b8c9955b8777c9c4e03ce41fdca156cfaf079f916aeb924fd3b22cb7073

Analysis

max time kernel
141s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe
Size

31KB
MD5

6dc40b688b2a33daac42dbde66558be2
SHA1

0cf80d96f92818423086001fa0147db4b5fa5b97
SHA256

e3bf8b8c9955b8777c9c4e03ce41fdca156cfaf079f916aeb924fd3b22cb7073
SHA512

b2c8ce4ba830674c337c2242c7dec7fbedc93180e46d6dac0e7801984f1cb980056c4ab95465559b499f03105bebedfd2a9121a09c1970563e44f47622315547
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTG2G:bG74zYcgT/Ekd0ryfjTG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2700-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a000000012247-11.dat	CryptoLocker_rule2
behavioral1/memory/2700-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1536-17-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1536-27-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1536	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1536	2700	2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe	28
PID 2700 wrote to memory of 1536	2700	2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe	28
PID 2700 wrote to memory of 1536	2700	2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe	28
PID 2700 wrote to memory of 1536	2700	2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_6dc40b688b2a33daac42dbde66558be2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
31KB

MD5
1429d0cb398a97f4d72871d761894952

SHA1
ea40d75eff8b7fd7390ae20d4cbe6c7cc44e46d2

SHA256
b6a5f754c2939c604310c78fef746461ed628d5dab99a4e89860fdf6efd0a001

SHA512
a31fb7bf2c379070b8903751bfde9a1ad419d437e743c1e0f6dc89bbc78486464b97665e101734688ca9b51ee0d91e7fdd6f7050bfaee17e08e47b7458982d38

Download Submit
memory/1536-17-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1536-19-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1536-20-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1536-27-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2700-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2700-1-0x0000000001C80000-0x0000000001C86000-memory.dmp

Filesize
24KB

Download
memory/2700-3-0x0000000001C80000-0x0000000001C86000-memory.dmp

Filesize
24KB

Download
memory/2700-2-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download
memory/2700-13-0x0000000002DF0000-0x0000000002DFA000-memory.dmp

Filesize
40KB

Download
memory/2700-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download