60f1842b8321b2c845baa9cccba39da210e06ab7831048fb6ca6a753c1ca348f

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe
Size

31KB
MD5

369b833467d1b7640aab7c525c26adf2
SHA1

7f3fe834a76a3be71b1a081d5e17b8f684ecb225
SHA256

60f1842b8321b2c845baa9cccba39da210e06ab7831048fb6ca6a753c1ca348f
SHA512

c416c683a76e0b1fbad636573343bef98c35299218e0c6d2f6522ec81b1e0be3c76dffb1ebba252dbd2e3851e77e21cff31b07001efec464c0110cf15d62fa11
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTG0n:bG74zYcgT/Ekd0ryfjvn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2528-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000d000000014708-11.dat	CryptoLocker_rule2
behavioral1/memory/2392-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2528-14-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2392-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2392	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2392	2528	2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe	28
PID 2528 wrote to memory of 2392	2528	2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe	28
PID 2528 wrote to memory of 2392	2528	2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe	28
PID 2528 wrote to memory of 2392	2528	2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_369b833467d1b7640aab7c525c26adf2_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
31KB

MD5
50c2724eccbb234313cf7bf58c1acc27

SHA1
4c5895b94d617b49cb1ba670206e947dc7e6404e

SHA256
fbe5d51de509a6ab30c4f8569dea7b04a7bfc9378d41f43dde69f76798539b46

SHA512
666da196c9edebf77c7a6504fe528b3b732eb5027bda640bb12f18c23aacb796648da5a091561a82f2ab055fc627788d6102e176d460f5bb24527653afc6a437

Download Submit
memory/2392-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2392-18-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2392-25-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2392-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2528-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2528-9-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2528-2-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2528-1-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2528-14-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download