79fcdb47ec97beaf4db4bff3480fe4f6c12cff9a88968d897b7246931e460d88

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe
Size

31KB
MD5

2c0c3f5bf4659b4bd34e77bc85b45313
SHA1

2479f0319e6d8960aec3a3e5c9bf160dc3f5c4a6
SHA256

79fcdb47ec97beaf4db4bff3480fe4f6c12cff9a88968d897b7246931e460d88
SHA512

0e23fc5c3e74effb040aaed322348a43d03e3da4c06d4dcc3dd2819aa327b065b9825bc9ab0395962aba0c02953faf037af9d4bd85d68b89066808684e6c3025
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTGQV:bG74zYcgT/Ekd0ryfjrV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122b8-24.dat	CryptoLocker_rule2
behavioral1/memory/1268-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2140-15-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2140-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1268-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1268	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1268	2140	2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe	28
PID 2140 wrote to memory of 1268	2140	2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe	28
PID 2140 wrote to memory of 1268	2140	2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe	28
PID 2140 wrote to memory of 1268	2140	2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_2c0c3f5bf4659b4bd34e77bc85b45313_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
32KB

MD5
88eded72473bc2a8e3caefb4c3e6095f

SHA1
6f47fdf800e13be245f803177483cc58a801fb93

SHA256
d4cc90c52a7e89c9f9f97b6f3d4b34ffcd2b5f283551ab35bdbe1d874e34414a

SHA512
5570730a81d998b2e7804c6d810b89405b7c84152aff847d7091237f137468b3bfd3f3e3b497781bc5a79729d929285bb1f3b564e613ac907e4df221b9290776

Download Submit
memory/1268-25-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1268-18-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1268-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1268-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2140-15-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2140-9-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2140-2-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2140-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2140-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download