Analysis
-
max time kernel
17s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe
-
Size
50KB
-
MD5
4b6bbd51490cefb107ff79fd82d0fae3
-
SHA1
221aa55036484707665aaf5269fef9dd3390c2e1
-
SHA256
74e93cc6b272c923885a99e724c6f21cdcf0ef2d955884a93cd703747b21b335
-
SHA512
ea0bea1876fdf226e6a2359bec0f68e6474640207ca4d92cb95cf9ed45aa089449c26b5a0113a90bfa9dbbb65c1e2597e4b90a020a4a1c34931f42e78d1c793c
-
SSDEEP
768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9m:bIDOw9a0DwitDZz5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 5112 lossy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3692 wrote to memory of 5112 3692 2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe 89 PID 3692 wrote to memory of 5112 3692 2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe 89 PID 3692 wrote to memory of 5112 3692 2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-08_4b6bbd51490cefb107ff79fd82d0fae3_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
PID:5112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5cb3ac27c633a24a1fd4cef3ed2c0bada
SHA104e2a0ad35504fa8e0fbd4f405e7d529f9163441
SHA256ee6c8325ade28f4b9e5abccc835d4001d1edc0efc489f994fa416e26e38a159c
SHA512a689829f289b626f090d17805cd00f43ca897a045391d65ace2d4df22691e6dbc8e2f6c913f2cb15ee56484c4ad34f56b702667a5a391782d9cd6cfb29329f96