b882164a1cedcbfc129807c9d605da75a4e3a169082afc5d1ad03561e84372b8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 03:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe
Size

5.5MB
MD5

2775b47dec9ddbe4efbf9aa3e3364079
SHA1

b8baed685ef76713724b5e8cd05d9fb676debe8d
SHA256

b882164a1cedcbfc129807c9d605da75a4e3a169082afc5d1ad03561e84372b8
SHA512

41f952c84ee4430e67bd7b1fcce70d99f7e7d90f93aa2c7d52cd3c849760401d9c528403b3357d4c4b246802d30efa8628343610490cf4e4a707300dceb1cf7f
SSDEEP

98304:ot1QKvyjzO6B3DenIMmzyxD++XsBq+JUieGNt3sB/a1Ed9m+Uff:otTvgz73XMpxDbcwYvt3sFa4Of

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 9 IoCs

resource	yara_rule
behavioral1/memory/2184-0-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2184-6-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2184-15-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2184-17-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000013417-19.dat	CryptoLocker_rule2
behavioral1/memory/2524-25-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2184-24-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2524-33-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2524-41-0x0000000008000000-0x0000000008884000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2524	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe
2524	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2524	2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe	28
PID 2184 wrote to memory of 2524	2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe	28
PID 2184 wrote to memory of 2524	2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe	28
PID 2184 wrote to memory of 2524	2184	2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_2775b47dec9ddbe4efbf9aa3e3364079_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
5.5MB

MD5
17f0f056a97c118942e46c219a464b30

SHA1
6d15710bc4a5c4fdfaa737bd6c18156eaefd8047

SHA256
c96f3633ea7159c841137d8a403b97675ae8d5fe9a48c9d6264bbd2c11d5d0ca

SHA512
a20cc30683ed1b6835601c34030488d27effae754d5f9d213ea648af6e654ec010c705aa3c5b7128f803f3b7ba7d9b453d9cc0733c14c0fee8807bc223c6057e

Download Submit
memory/2184-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2184-27-0x000000000800A000-0x0000000008303000-memory.dmp

Filesize
3.0MB

Download
memory/2184-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2184-0-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2184-8-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2184-15-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2184-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2184-7-0x000000000800A000-0x0000000008303000-memory.dmp

Filesize
3.0MB

Download
memory/2184-17-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2184-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2184-24-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2184-23-0x00000000032F0000-0x0000000003B74000-memory.dmp

Filesize
8.5MB

Download
memory/2524-25-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2524-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2524-33-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2524-35-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2524-41-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2524-30-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download