db10fc08c2c2ae7ede9a55bbab2ffd1010eac84e8648f73d4396a130df6bfdff

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe
Size

51KB
MD5

ff58daef49b1bed03c1d2ee2fa205afe
SHA1

450183c7f11e8f5063e034a867d64d01129d9880
SHA256

db10fc08c2c2ae7ede9a55bbab2ffd1010eac84e8648f73d4396a130df6bfdff
SHA512

f39afa5135a795cbde54292028a0c14a67dc9d9be5438279001b4cafb78e820bfed7b34f13dfc305dd75e9e73953598ece7a369df4cee90a82e627344fee91f3
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9fHEO:bIDOw9a0DwitDZzER

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1640	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2084	2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1640	2084	2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe	30
PID 2084 wrote to memory of 1640	2084	2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe	30
PID 2084 wrote to memory of 1640	2084	2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe	30
PID 2084 wrote to memory of 1640	2084	2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_ff58daef49b1bed03c1d2ee2fa205afe_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
52KB

MD5
0e321b4c6819b7e731534d2b966cc126

SHA1
ca7e03f946111c51d468a3151aa2ac1ea7b581bc

SHA256
3b0abd3d047fd34fef8f44ced230f3f985736f5c81ff0c74cef8d905c3fffdff

SHA512
0082bed0dcd13a0ade2285019c69cf2e3384be22a30e3a811342234af915a2fd62687269353b26dd1948f48278ec4a31dcc4153468122685c21adbd26346651b

Download Submit
memory/1640-15-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/1640-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2084-0-0x0000000001BD0000-0x0000000001BD6000-memory.dmp

Filesize
24KB

Download
memory/2084-1-0x0000000001CC0000-0x0000000001CC6000-memory.dmp

Filesize
24KB

Download
memory/2084-3-0x0000000001BD0000-0x0000000001BD6000-memory.dmp

Filesize
24KB

Download