a228fdab92f56e0d5295725ace9bf79584c73abf3fc6a1197e3c00b8ef7c99db

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe
Size

48KB
MD5

88bfaad0bbee8739fb50df4cbf2fa251
SHA1

62585369847ba70e0b2b3461b697a9354ecc98f8
SHA256

a228fdab92f56e0d5295725ace9bf79584c73abf3fc6a1197e3c00b8ef7c99db
SHA512

ea93a4bc0d867ea8bbfbbdecd6f2c551fde352e667a75894da756f388ce3428c827f61a389e7bb0256ef2a568fcc6f7453506508628664500e0319b74d42b271
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6D8jnPx9UnuDLlD+c:bIDOw9a0Dwo3P1ojvUSD4PInyDp

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023278-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3944	3472	2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe	83
PID 3472 wrote to memory of 3944	3472	2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe	83
PID 3472 wrote to memory of 3944	3472	2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_88bfaad0bbee8739fb50df4cbf2fa251_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
48KB

MD5
3e2fe3d68ab1273ba95253520a43101e

SHA1
d43e5d5d6061b3d73c454ef46dce685ff0997d12

SHA256
6d288e791b44620a0578db5bb7765509d6f8d20680a6dc6f2e8680d1fbe5e4e5

SHA512
e527c98d027daa9f733bac63b59979f003844fa9846de16f5d24cd35f46c4bae1df52cf232f7edf9432839cb1916829698c2b368ed6e72a6280f395775e446d0

Download Submit
memory/3472-0-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/3472-2-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/3472-8-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/3944-17-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/3944-23-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download