e6c9b00617f0ccf69ced32f2724d1d4f86d1767b46440d42d90946e0b4d06151

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 20:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe
Size

35KB
MD5

552974f1f949b2c5b0c8e0c38269328e
SHA1

30f80b0bb1bd647d20405faab6fe57513a463976
SHA256

e6c9b00617f0ccf69ced32f2724d1d4f86d1767b46440d42d90946e0b4d06151
SHA512

7593e614c50ebbb7d415ae3ac1bed6de5bf0bfa8274a6506ee23e7ebbe2350898ca14768e73b891c55d7b3a94a770b14d4d7791e2430d49e2ce353646dd486c6
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6lx+Mn:bA74zYcgT/Ekd0ryfjPIunqpeNswm6+M

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122ee-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2336	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2336	1968	2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe	28
PID 1968 wrote to memory of 2336	1968	2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe	28
PID 1968 wrote to memory of 2336	1968	2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe	28
PID 1968 wrote to memory of 2336	1968	2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_552974f1f949b2c5b0c8e0c38269328e_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2336

Network

DNS

mytarta.com

hasfj.exe

Remote address:

8.8.8.8:53

Request

mytarta.com

IN A

Response

No results found

8.8.8.8:53

mytarta.com

dns

hasfj.exe

57 B
130 B
1
1

DNS Request

mytarta.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
08c4d7e690f2f883a97f0b2b292df246

SHA1
b6252f038f8a0c30201d32f265aa2e3e3cf1e0f1

SHA256
23ae3fd218e8dd0322a610147ad4f77308474350beb8bdc135037715f4a48525

SHA512
1ece2c8f3c0e27c868caf2677da5a2d8f1fec48110aec7b2ae1e27e8ad18336e79bcb1f16570b5c09f170a2ad406c94a74f13a8484a61859e840050700e9fce8

Download Submit
memory/1968-1-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1968-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1968-8-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2336-15-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2336-22-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download