63c6fd35e62201ca332f58360c67afec1164a0ab140981493d55392a87d80e2b

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe
Size

54KB
MD5

3f737bab27ab1ff6cd547b121f7c34d6
SHA1

9c855e5238d2f263285f116639cf5f221db10d4e
SHA256

63c6fd35e62201ca332f58360c67afec1164a0ab140981493d55392a87d80e2b
SHA512

5ce163b9c17004ed11b1e8d9de67c3418c8f181a878fb7e4e6e60f85e5abb353cf1c1a51022b4de667096a5f3dcdce8852101f182ea0516cc68c936ab3ba7bf0
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9XbTbqjasql:bIDOw9a0DwitDZzcTmg

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000155e2-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2744	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2744	2172	2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe	28
PID 2172 wrote to memory of 2744	2172	2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_3f737bab27ab1ff6cd547b121f7c34d6_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
54KB

MD5
8c4905c1d7cdbf056c25e3d4e5ec4cbf

SHA1
00a6a413fc1ddb746c86dad1c95e97e1e1336b7f

SHA256
3b3a78f68697f599c26f4e722d89b0e0be0d4f94e5b1084b017cfe00ba17dfc4

SHA512
8c5f44e3f83f3402bdded24ff71c3d88dafe43a27b5e3aa0ec581e09bb6a3e9b1877f13a7d6e73be0dadc78b856c272dda73abb7d5b625521e114c4470cf774e

Download Submit
memory/2172-0-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2172-1-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2172-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2744-15-0x0000000001C80000-0x0000000001C86000-memory.dmp

Filesize
24KB

Download
memory/2744-22-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download