5e396e89bbe0b19b9035c3d8ca53bf493a4020c8412201f39f0f310e00f3b5fb

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe
Size

24KB
MD5

b1f992e1121e0b10775c28016e887e37
SHA1

8702997d83655bc1894f0fa5472da00bea7038d0
SHA256

5e396e89bbe0b19b9035c3d8ca53bf493a4020c8412201f39f0f310e00f3b5fb
SHA512

f7f5569cbe1738220a1801f37dac9c6ecad3fa9c5ec65cb22019b4400670a0cecbd463230a0f21de0357c1f0426ffdcd1d9cf9055b7b65ebfe9e9d90edecaa89
SSDEEP

384:bVCPwFRuFn65arz1ZhdaXFXSCVQTLfjDp6HnD2U:bVCPwFRo6CpwXFXSqQXfjAHDx

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000008000000-0x000000000800E000-memory.dmp	CryptoLocker_rule2
\Users\Admin\AppData\Local\Temp\hasfj.exe	CryptoLocker_rule2
behavioral1/memory/2564-17-0x0000000008000000-0x000000000800E000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2968-16-0x0000000008000000-0x000000000800E000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2564-27-0x0000000008000000-0x000000000800E000-memory.dmp	CryptoLocker_rule2

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000008000000-0x000000000800E000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\hasfj.exe	UPX
behavioral1/memory/2564-17-0x0000000008000000-0x000000000800E000-memory.dmp	UPX
behavioral1/memory/2968-16-0x0000000008000000-0x000000000800E000-memory.dmp	UPX
behavioral1/memory/2564-27-0x0000000008000000-0x000000000800E000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

2564 hasfj.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe

pid process

2968 2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe

pid	process
2564	hasfj.exe

pid	process
2968	2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000008000000-0x000000000800E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\hasfj.exe	upx
behavioral1/memory/2564-17-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral1/memory/2968-16-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral1/memory/2564-27-0x0000000008000000-0x000000000800E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe

description	pid	process	target process
PID 2968 wrote to memory of 2564	2968	2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe	hasfj.exe
PID 2968 wrote to memory of 2564	2968	2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe	hasfj.exe
PID 2968 wrote to memory of 2564	2968	2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe	hasfj.exe
PID 2968 wrote to memory of 2564	2968	2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_b1f992e1121e0b10775c28016e887e37_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
24KB

MD5
7a4074d9cd3d5b1e450386b23a8143a3

SHA1
f957885d98e7f1d236e116514fbbf9ff1e0eb4a6

SHA256
a5ac1da6f2158dbecd4683fdc07fbae335d1c0dc833a58874be192cb2751d20f

SHA512
47c885a4a04ed6bd56a0f0ae9a89d31172e800e02ad529ad0f286c261ec8cd78216e22f5cb804cae36073c2531f8c85c09a071c7dfc4a3210341dc809b87a4a7

Download Submit
memory/2564-17-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/2564-19-0x0000000001CB0000-0x0000000001CB6000-memory.dmp

Filesize
24KB

Download
memory/2564-26-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2564-27-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/2968-0-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/2968-1-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download
memory/2968-2-0x0000000001CF0000-0x0000000001CF6000-memory.dmp

Filesize
24KB

Download
memory/2968-9-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download
memory/2968-16-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download