e2bcd53530c2502034e9fa10e3d97f3bdf5cefc0ba6204e85ce415e84608ad62

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe
Size

41KB
MD5

f988fa09b0978e2ca8753908682ca373
SHA1

d4df96ac918bf475fde260b0955f144942d2c1b7
SHA256

e2bcd53530c2502034e9fa10e3d97f3bdf5cefc0ba6204e85ce415e84608ad62
SHA512

e45b7d90cd022a4a9b942f9c10d92d24e1769acefab6b7cc85057733a0919c9573b203ef596d45a8169d8a3f6df42ff7ca6014f8846384b08e8723d40d60a2f5
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAc:bCDOw9aMDooc+vAc

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/2416-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000c000000015cce-11.dat	CryptoLocker_rule2
behavioral1/memory/2416-14-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1708-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1708-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
1708	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1708	2416	2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe	28
PID 2416 wrote to memory of 1708	2416	2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe	28
PID 2416 wrote to memory of 1708	2416	2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe	28
PID 2416 wrote to memory of 1708	2416	2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_f988fa09b0978e2ca8753908682ca373_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
41KB

MD5
4569422967ac086c77ae8b39f6180e48

SHA1
f548c785b5ab296458cb51d7056b816736bae4fc

SHA256
2b2df4f34e2152e086396646341e451c220ef67b20dbdbcffcd52a48c5af4967

SHA512
afa2a75b4647c890a0d9747e001fee7a9b50563c43756b6fa76d7d32fb28801a12805c83a50d96f9c7f46fd941629cef45ce9a620e089a2db2475516bed4fd07

Download Submit
memory/1708-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1708-18-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/1708-25-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1708-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2416-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2416-1-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2416-2-0x0000000001C90000-0x0000000001C96000-memory.dmp

Filesize
24KB

Download
memory/2416-9-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2416-14-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download