3be994907032dc62c0280e72bbd98415e3c07d214a1ea3b934b94f8f93e75941

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe
Size

35KB
MD5

a1c3fdf7f923e6afd515b4723a7dd39a
SHA1

85bc8240f24e39ee787fcafbeb357ae60feb2873
SHA256

3be994907032dc62c0280e72bbd98415e3c07d214a1ea3b934b94f8f93e75941
SHA512

3484c7a10da23b5ab9ce89164ed056c21afaf1681e963a4c6ff851bd29915f8011f99369eb9601b1f9d2fc1a886b69fbb79d45990230335ae94e084445801867
SSDEEP

768:bA74zYcgT/Ekd0ryfjPIunqpeNswm6GZ6:bA6YcA/X6G0W1PGZ6

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013413-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2840	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2840	2100	2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe	28
PID 2100 wrote to memory of 2840	2100	2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe	28
PID 2100 wrote to memory of 2840	2100	2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe	28
PID 2100 wrote to memory of 2840	2100	2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_a1c3fdf7f923e6afd515b4723a7dd39a_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
9c1bd32fa180adb4c5a834512d62f0b3

SHA1
244b353fac3c2fbced717f2ec608d811b2193f8f

SHA256
96e0d5739c2f0e14aad25e329c9f08ae462cda742a42510f1ba876655f49229f

SHA512
316f45ac1894e8893742b6464f44fdb5c9c85012f9b44b901c8ff2eb0f3a521f1bd4b4c9fd21827967fdf43f21b4b6cfc4f699e6d3992a60fe49e3de242c78c3

Download Submit
memory/2100-0-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2100-1-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2100-8-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2840-15-0x0000000001CB0000-0x0000000001CB6000-memory.dmp

Filesize
24KB

Download
memory/2840-22-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download