1d6a15ff0009d9e6fe4056cbd5997e6a38ae4864d9a25a0300da15a53b5f61d1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe
Size

54KB
MD5

7de05f20c9937c8fe84dd321d405a4ff
SHA1

cbfa01b22cbec07469d3cf88f4d599ab4fdc8537
SHA256

1d6a15ff0009d9e6fe4056cbd5997e6a38ae4864d9a25a0300da15a53b5f61d1
SHA512

dbe1477a994fd4464610bbbeb0dd35502d902b3cd978888ad157b2c68076d2b1a2eadcd212c3a614f43664b7c0ed9085ade3740f0abe5d2b2290442fc4c3b976
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9XbTb8puF:bIDOw9a0DwitDZzcTLF

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b5c-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3968	2384	2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe	86
PID 2384 wrote to memory of 3968	2384	2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe	86
PID 2384 wrote to memory of 3968	2384	2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_7de05f20c9937c8fe84dd321d405a4ff_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
54KB

MD5
c5efc73f863e32aa65d0e3c3933a2217

SHA1
cbb6be2ad299dade898a31bbfb74ac9d7f27b7e2

SHA256
834baf0749c01fad0bb76b9301d3c8399eecbbec87903c7ee2d96dee924d4427

SHA512
623dad2ab0283dea41e25e76f09a375071b80c3d358fb7cea3ec477d10afadc75f945b982a83660ab50e32b0d9310a56b1dea26d0ecd323d4b48b49d8e07ca7d

Download Submit
memory/2384-0-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/2384-1-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/2384-8-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/3968-17-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/3968-23-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download