30e95a888ae701ab075864399b117335e7547f63b4a1b78fdaca04574fee5e6e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe
Size

40KB
MD5

b8ac5963d695b97587504edc443bef74
SHA1

15a2ef4c83887e2a1a49813e1b0d5a393776b72e
SHA256

30e95a888ae701ab075864399b117335e7547f63b4a1b78fdaca04574fee5e6e
SHA512

7274f7b4aaef932d3bb92a394568df2300f1e6611d0dcf23f4cca205ad03fdcd21640b477b122d299e61dfcd36246e0048b9c3d0050ee3714b16a2046dbc3dbb
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6DyE9xgy1:bIDOw9a0Dwo3P1ojvUSD79yy1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012253-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2080	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2080	2072	2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe	28
PID 2072 wrote to memory of 2080	2072	2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe	28
PID 2072 wrote to memory of 2080	2072	2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe	28
PID 2072 wrote to memory of 2080	2072	2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_b8ac5963d695b97587504edc443bef74_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
40KB

MD5
71c8d2d2482e06a0c2ab83570a89e7ea

SHA1
206ea46e5ae17dee94354bf2f7423482b3ae7b2d

SHA256
fdf3378f825479699c1ae4cebd07f3013a83476eab71114b382925f53aa8d00f

SHA512
df813623c0df43786e6e1d6d66004d9dd7286a8f3b84593bf836901ba7d3929e0e3328d2ca6216ea00df77273e2b89085276ab02245008daada9f7f1b3367a7e

Download Submit
memory/2072-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2072-2-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2072-1-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2080-15-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2080-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download