3c0371e1b60f8c6644f134855812236374d8767c0b30d953946ff518fab5194f

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 17:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe
Size

45KB
MD5

6f55a8a167b1be15ba4bc9b4c3a3a7a3
SHA1

9bd129a499a6388aed47bff4e43be553d8b5e81d
SHA256

3c0371e1b60f8c6644f134855812236374d8767c0b30d953946ff518fab5194f
SHA512

411e058c93e75cd45deb68a79ffca5f52f69c89650daba3a6bd4d862cda8aeb6e6ee879502f9430b07458ef31a778a614a6a28114f21eccc8a67e1bf1eec8879
SSDEEP

384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jb0nrlwfjDUknqt:bm74zYcgT/EkM0ryfjdnqt

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/3068-0-0x0000000008000000-0x000000000800D000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a0000000122ec-11.dat	CryptoLocker_rule2
behavioral1/memory/3068-15-0x0000000008000000-0x000000000800D000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2256-16-0x0000000008000000-0x000000000800D000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2256-26-0x0000000008000000-0x000000000800D000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2256	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2256	3068	2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe	28
PID 3068 wrote to memory of 2256	3068	2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe	28
PID 3068 wrote to memory of 2256	3068	2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe	28
PID 3068 wrote to memory of 2256	3068	2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_6f55a8a167b1be15ba4bc9b4c3a3a7a3_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
45KB

MD5
02cd3bffe84de14c0cfc0f5db8168be0

SHA1
373af32f2d8c2cbe36f712628e1325ae9e89d738

SHA256
0bfccebc17c8ee1c2cfe0ecb36df6643760c0d6d30fed6cfd7acda39937fc2e9

SHA512
63e2a2bc9892c3405c42b757237a69f90a8a53ed27b3c2da371a9db4fc12859260c19f2016652ad0c2b8ae5a77743d3deb41419e798c2eb0db34b8ebe5e00b51

Download Submit
memory/2256-16-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download
memory/2256-18-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2256-25-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2256-26-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download
memory/3068-0-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download
memory/3068-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/3068-9-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/3068-1-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/3068-15-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download