81731f3081068517bfa106cf905026c096c4654f1f4a857ec645f3e33337e8c3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe
Size

42KB
MD5

066ecb3cfc9b34f38c48a69c7c174dab
SHA1

6bcfdd6080c4806ae798ab15c7187f34abd83fd3
SHA256

81731f3081068517bfa106cf905026c096c4654f1f4a857ec645f3e33337e8c3
SHA512

46a7f7fda975717d770eb1583dc87672fa2b91ea922d088f21146ecf28341e0fd23dfd9148039190a64290fa76a4473bf7699df488e490ef3e095419113fd694
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAHS:bCDOw9aMDooc+vAy

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/2284-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000c000000023b5f-13.dat	CryptoLocker_rule2
behavioral2/memory/3748-17-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/2284-18-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3748-27-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3748	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3748	2284	2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe	83
PID 2284 wrote to memory of 3748	2284	2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe	83
PID 2284 wrote to memory of 3748	2284	2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_066ecb3cfc9b34f38c48a69c7c174dab_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
42KB

MD5
84c0c5e543d6bf6cb8814a148a6b8320

SHA1
40f5e7173b3d339f9e00a18e32bb5d9bc9428d40

SHA256
bee3b845a8a533a37983762f6f4e8528a94ca65d1e85081cfa82f84cd067c557

SHA512
4517e3ad41a7aa19f62ccae1ae6a2232003798194707d341daf6947d6c85ad3d3f7184ea1660c81c4ee234915af2865b9254e523d343b020bcdd2b7e02486912

Download Submit
memory/2284-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2284-1-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/2284-2-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/2284-9-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/2284-18-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3748-17-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3748-20-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

Filesize
24KB

Download
memory/3748-26-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download
memory/3748-27-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download