231ffcd06cb9b376fcb433a078a18e8a1e1f6707d13f0bc888aafc7790a6d5d6

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe
Size

33KB
MD5

a3c0b44236ba7e69b53eaee0721d88d0
SHA1

ed48521a3ad96a2373e1c42debda03105bed3203
SHA256

231ffcd06cb9b376fcb433a078a18e8a1e1f6707d13f0bc888aafc7790a6d5d6
SHA512

125c768ef8abf5763a81b06d1caeeede51c50844aa4a4d12bd3823abee351a0cac766e3da40a44495c7a0be97ef7acdcd9074ca03a493e1f2040a987d1cda95f
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTGXvJP:bG74zYcgT/Ekd0ryfjkx

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2920-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a00000001227e-11.dat	CryptoLocker_rule2
behavioral1/memory/2920-14-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2256-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2256-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2256	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2920	2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2256	2920	2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe	28
PID 2920 wrote to memory of 2256	2920	2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe	28
PID 2920 wrote to memory of 2256	2920	2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe	28
PID 2920 wrote to memory of 2256	2920	2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_a3c0b44236ba7e69b53eaee0721d88d0_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
33KB

MD5
c8318ec0e277e0437e7c4c21ed4b8135

SHA1
aaec5f3664afa8eb63a2ebb995cd188c01275831

SHA256
c5a2baf86fe8d5d6a55f5de683bd89b30e80d5fb2c0ed168d4b7d4f51edaf907

SHA512
9f077e13cf7eedb43c44d872ac62a47383880512466dd9798c32fdbcc003a8a812534fd9077be2f17270b237d6125fb3508b7e33b8bf4e4d573d866c6e41ceb5

Download Submit
memory/2256-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2256-18-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2256-25-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2256-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2920-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2920-1-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2920-9-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2920-2-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2920-14-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download