87887a1de316eca31542c2cbc979a1f3431481df0cf6149e36c113001db836c7

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe
Size

41KB
MD5

46b24f7bb54cf7e3aebc93d89e1b4f8d
SHA1

282f7485f28cd8c5e6331b1d31683a924b8d74cd
SHA256

87887a1de316eca31542c2cbc979a1f3431481df0cf6149e36c113001db836c7
SHA512

a8c497b3cd681d05b0c396f150e6237577f4b635ece95a2df5f4c463211f486a460ebba1bfd2035df145d190c45cacb468161e633277e75269cd84087f3f81a8
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6DyE9x3p1:bIDOw9a0Dwo3P1ojvUSD79Rp1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224c-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2896	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2896	2756	2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe	28
PID 2756 wrote to memory of 2896	2756	2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe	28
PID 2756 wrote to memory of 2896	2756	2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe	28
PID 2756 wrote to memory of 2896	2756	2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_46b24f7bb54cf7e3aebc93d89e1b4f8d_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
41KB

MD5
c7aa2d7eaf741c31592db900ef69cf02

SHA1
1feaef388b4d5a4d4a3fa5832dc2593862c1b661

SHA256
1551cebae9a3e7fb48252691be27fbb6d43b5f2e8fc196104a698d60cce446f5

SHA512
73e3e832fe6bb1d69cf3b131fb6c6d8b41355feb6578a067a362478d41af408f27185cc9a3ef086c460437b96ce2062ce34ffccfdcd95fd2600495b49d1ccc84

Download Submit
memory/2756-0-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2756-1-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2756-2-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2896-16-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2896-15-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download