8252615b6b8177089e255b93aa3e19badd304c91fb4d692896e6e45ad51c2b0e

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe
Size

31KB
MD5

977a974fd4118d5d0867688bdba18a0c
SHA1

087c82c0c25c8a2d56810a904f16d2ba6beaa8f5
SHA256

8252615b6b8177089e255b93aa3e19badd304c91fb4d692896e6e45ad51c2b0e
SHA512

a3e6e7aa15e662b7660e3d58e70a8e4d299b65415b75123504a18788e2c5db1ff053888a5e428fece3d3ee2376c5c54c7aa7382bf16a8611b34193c5103a01fc
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTGSWLw:bG74zYcgT/Ekd0ryfjck

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/3008-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a00000001224e-11.dat	CryptoLocker_rule2
behavioral1/memory/3008-15-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1816-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1816-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1816	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
3008	2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1816	3008	2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe	28
PID 3008 wrote to memory of 1816	3008	2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe	28
PID 3008 wrote to memory of 1816	3008	2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe	28
PID 3008 wrote to memory of 1816	3008	2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_977a974fd4118d5d0867688bdba18a0c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
31KB

MD5
2d613797e925eb5b3f2fde071006335c

SHA1
5dd0e6d1b6f9f21ec76bbc98ae2eb10328692330

SHA256
6918469eedf2c0adc414522f931b38d74bac387612d37465f078bf79ea2cfbf2

SHA512
6f503353b2a93e7a1273e636eb49b34fb2869b22e735820c04abfd50bf8dcc033955a4cece13b129a95df4b03f54d028a14e7c4320a267ff13e7a1d7ed1204a7

Download Submit
memory/1816-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1816-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1816-25-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1816-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3008-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3008-1-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/3008-3-0x0000000002D00000-0x0000000002D06000-memory.dmp

Filesize
24KB

Download
memory/3008-2-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/3008-15-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download