03d4c3e3555945b607b6b383f766770f14c6eaacab0cb923d4e91f4635df13bd

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe
Size

41KB
MD5

d1dab8f34b0454f35f314cf1a4306bf0
SHA1

552dff66cdc904478b570c52b093cd6730609d69
SHA256

03d4c3e3555945b607b6b383f766770f14c6eaacab0cb923d4e91f4635df13bd
SHA512

768e61eac36f9ca1c6d5fb25cedd7fd335e76323706666dbf15d335079e7eb15a52890eef87d128856b9df17868f2ed785c202af91d9f1dd55d373068ee00429
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8PEI0vuW:bIDOw9a0Dwo3P1ojvUSDhcTP

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231ef-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2444	448	2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe	84
PID 448 wrote to memory of 2444	448	2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe	84
PID 448 wrote to memory of 2444	448	2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d1dab8f34b0454f35f314cf1a4306bf0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
41KB

MD5
f3594362a90d2f3628f457a1c9780e34

SHA1
fb3fd070373d23ecb916ccb1ed85330dd6dab5b0

SHA256
d185c9b780557a1d99abaca6654084ecb9494017c2547f21c19f3e37d9a118ec

SHA512
81e2cc13acda9edfd334675221969479507faa8968ccf8863b6c17f535f73e1f1e5fef7070459dbbe6af0822b08cbc35b02c1f9c009b466ba9acdc0e9000dda2

Download Submit
memory/448-0-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/448-1-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/448-2-0x0000000002060000-0x0000000002066000-memory.dmp

Filesize
24KB

Download
memory/2444-17-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download