7a1f695bce9accf2df1a9f65147934c24342720caa4495b08042eca61d1eac73

Analysis

max time kernel
159s
max time network
176s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe
Size

50KB
MD5

f89ae63893272dbd622befd50a48e069
SHA1

132c517c91ba6f5455ffea676f54eb1222be4e5e
SHA256

7a1f695bce9accf2df1a9f65147934c24342720caa4495b08042eca61d1eac73
SHA512

fea1d59acf71e95b0d0d3c081174040699357f656b7bea9ced3f041bfe3edd71e842861dcc5ff80bbc52ddf12909fb94caaa5a9ede2d4386d0980dd2a0628b96
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9gE1NIL:bIDOw9a0DwitDZzwIL

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012281-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2824	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2824	2668	2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe	27
PID 2668 wrote to memory of 2824	2668	2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe	27
PID 2668 wrote to memory of 2824	2668	2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe	27
PID 2668 wrote to memory of 2824	2668	2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe	27

C:\Users\Admin\AppData\Local\Temp\2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-19_f89ae63893272dbd622befd50a48e069_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
50KB

MD5
1c50472c751fb0f9e48e52a958587e40

SHA1
a2a857e2ef3f84ae22169d3a0783430492345892

SHA256
b009d4767009c1b168dbc789b2423caa4cec8c466ca24e729e4d0b146620e123

SHA512
d4e12b622edcb58bcd7d8227163a7edf91e94f6352113a77beed84ae098e494777f7bdbad6a4858e0b1b674697fe08bb2c7cabb1c75dd3f30353e045c3e63383

Download Submit
memory/2668-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2668-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2668-3-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2824-16-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2824-15-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download