a0304b6888ce6bfc78dfb17adf95ec4fe2dc03200feffb0a0c5a2e48001ce593

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 11:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe
Size

392KB
MD5

1ca20fe29b4d1e47ac5c93ec79efa2a4
SHA1

fdef210309bcb8439b8dd3c972d2b0dd0bed9094
SHA256

a0304b6888ce6bfc78dfb17adf95ec4fe2dc03200feffb0a0c5a2e48001ce593
SHA512

4e3cb7250e64b942802bc4476b33ab8b707b68cf21fc03c38441afcef530f964acd74ee7017d210d9f5a550ff43656a59f03023b57cd9d5cd7d3a0ab6cf51496
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXRU:nnOflT/ZFIjBz3xjTxynGUOUhXRU

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012280-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2960	hasfj.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2960	2792	2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe	28
PID 2792 wrote to memory of 2960	2792	2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe	28
PID 2792 wrote to memory of 2960	2792	2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe	28
PID 2792 wrote to memory of 2960	2792	2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_1ca20fe29b4d1e47ac5c93ec79efa2a4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
392KB

MD5
7124a6fda6a4fd0ab7a4fe32bbbb779f

SHA1
7b98a9fa86e7e668b16af0af47b870bcfdc24e62

SHA256
aab560777dadfb9ef82302b1fef4c0d6ed53362cc9ae59750a9bf68af07a3db2

SHA512
775e7c55205f4c0b48ab1f8388a9b7874d02c2080a85905aa1c6dd9155545c126f4b149994f2e88bdb6d491ae132ebc73ac9f39903a5567af36645364fd57d13

Download Submit
memory/2792-1-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/2792-5-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2792-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2960-22-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2960-15-0x0000000001CA0000-0x0000000001CA6000-memory.dmp

Filesize
24KB

Download