Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe
-
Size
41KB
-
MD5
1526adf377cec9e97f83607caa59c678
-
SHA1
3a18e8b708b5a970c92595361f837bde16ca7d51
-
SHA256
cbff931e21cfa1b5b830b9f2474848d7b0db3ea303976e12412d946c64e1ac66
-
SHA512
caf66a798a0486a976c61dfaf19db74a18af8a7863d38bfd9ed5822cba9e9e5f812e5fa10bd04be69a2dab53c99768230fa07ce6221f43039d476cd82acb2d38
-
SSDEEP
768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAHR:bCDOw9aMDooc+vAx
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/3112-0-0x0000000008000000-0x000000000800A000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x001c00000001e97e-13.dat CryptoLocker_rule2 behavioral2/memory/3112-17-0x0000000008000000-0x000000000800A000-memory.dmp CryptoLocker_rule2 behavioral2/memory/4588-26-0x0000000008000000-0x000000000800A000-memory.dmp CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation 2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4588 lossy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4588 3112 2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe 86 PID 3112 wrote to memory of 4588 3112 2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe 86 PID 3112 wrote to memory of 4588 3112 2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-21_1526adf377cec9e97f83607caa59c678_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
PID:4588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5be44dba9634c18b5d71990342c529561
SHA1abf058b67828fb3fae7cbab93aaad453adb5904c
SHA256e39ae41af9c0b4edd0fdc42e75dd39deb709f53ce47b3633a035247d52c0d6d5
SHA51274b6e26188085ce85d2e92f1fe8c8cff3063198b49d36cb26e04edb8eea46651a245d67084fee7447a9ec4d8b5abedf24d28c9af8a76fa8085d810bc5ac879ee