5e23324643cb25bced58d86f5db882bb662add439004f550fec836efd1edb76e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe
Size

54KB
MD5

22f84ec802be3fff8e3e2a1b0eecff69
SHA1

48d7a5bac0cd7e9c74451dbb31745e4c8090a83a
SHA256

5e23324643cb25bced58d86f5db882bb662add439004f550fec836efd1edb76e
SHA512

aac23f68152786169125c7aaccf7e746975a3eb826cf390adad8990c270746b4b3bbe52c668a59d568df338a1a205f3a5d364b8ad5f0a1a333b397e3f30f2c35
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9Xv+mb6uXsl:bIDOw9a0DwitDZzc16j

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022fa8-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4912	3952	2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe	84
PID 3952 wrote to memory of 4912	3952	2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe	84
PID 3952 wrote to memory of 4912	3952	2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_22f84ec802be3fff8e3e2a1b0eecff69_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
54KB

MD5
f8b90422be5b06efe89f44fd1917ad66

SHA1
b1d2b3d3915cb2a990771fa70319d2e32b1d9bc5

SHA256
7fbaeccae7a95eb3254a7f7eb884e9aa903d58f30be9926b79bbad08b7bb3baf

SHA512
c8f294dff789d934b9304cd16de1fe049293e6510a19339b7b6b501d9350722cab3b0d8839a14f0110d22e81d4cef6abcea43916b6279136399a682fa1669c74

Download Submit
memory/3952-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/3952-1-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

Filesize
24KB

Download
memory/3952-8-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/4912-23-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download