7ae597f8007d63fe1697ef97960b01f28c3db4b2d972e4cf265227735637633e

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe
Size

41KB
MD5

92cff7bf422c647673a708a7afb3e996
SHA1

3d60f7ca567e89ececb68ce3fdc34d7358835a02
SHA256

7ae597f8007d63fe1697ef97960b01f28c3db4b2d972e4cf265227735637633e
SHA512

e8d4e77809a02a158f26f72669f2d4567164dc49908b85ee0b9e8ef1c4dfa8b200e61f909f877e26f16f63cf2ddc83ad89c2d041de68560dce6bc8049c5e671f
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtA8:bCDOw9aMDooc+vA8

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2292-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c000000012339-11.dat	CryptoLocker_rule2
behavioral1/memory/2292-15-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2976-17-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2976-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2976	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2976	2292	2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe	28
PID 2292 wrote to memory of 2976	2292	2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe	28
PID 2292 wrote to memory of 2976	2292	2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe	28
PID 2292 wrote to memory of 2976	2292	2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_92cff7bf422c647673a708a7afb3e996_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
41KB

MD5
eb26f030ab2f5501edd9277b80506e2c

SHA1
df19c828d934ac0928a3248b510f1c6392e0e7e9

SHA256
548e6a5507eeb43a9461d50a3cc0542e5e3e7b4f1e5fa7947a4e245345876cfe

SHA512
9de22366b2742bf030d4aa5a0a21bec8ab7c83571c0e33369a32381dfe783f044320ea5635ea7dfc7f2ba9470a1b29f2d0d97ec549006f6bc26860240587a0b4

Download Submit
memory/2292-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2292-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2292-3-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2292-2-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2292-15-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2976-17-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2976-18-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2976-23-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2976-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download