9bbcd4171fd68ee14a27ef4c1fcc438fb304ad9a0213f91f1958656b91f11334

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:23

Target

2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe
Size

43KB
MD5

0c18fcc8db261d0aeaf42501dd917b0a
SHA1

f20d01cc7ec8e0bf94c4a65f737a56aba8c03d5f
SHA256

9bbcd4171fd68ee14a27ef4c1fcc438fb304ad9a0213f91f1958656b91f11334
SHA512

c32ad2eb2d9d6b6613104551381718dfd8b7cebb2e613b56340e989e7a738590ff427bb2f7379d367eab6959ae913ca7c5b12b1f5fd8818a37c58da6876aeae7
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAHP:bCDOw9aMDooc+vAv

Score

9^/10

Detection of CryptoLocker Variants 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
\Users\Admin\AppData\Local\Temp\lossy.exe	CryptoLocker_rule2
behavioral1/memory/2928-12-0x0000000001E50000-0x0000000001E5A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2928-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2852-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

Processes:

lossy.exe

pid process

2852 lossy.exe
Loads dropped DLL 1 IoCs

Processes:

2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe

pid process

2928 2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2852	lossy.exe

pid	process
2928	2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe

description	pid	process	target process
PID 2928 wrote to memory of 2852	2928	2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe	lossy.exe
PID 2928 wrote to memory of 2852	2928	2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe	lossy.exe
PID 2928 wrote to memory of 2852	2928	2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe	lossy.exe
PID 2928 wrote to memory of 2852	2928	2024-05-22_0c18fcc8db261d0aeaf42501dd917b0a_cryptolocker.exe	lossy.exe

C:\Users\Admin\AppData\Local\Temp\lossy.exe
"C:\Users\Admin\AppData\Local\Temp\lossy.exe"
2⤵
- Executes dropped EXE
PID:2852

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
43KB

MD5
ef381d4e1b2c8b1fd9e493e8582e494e

SHA1
21750d6b454f7710d7446eb9c2d4eb022ee046ca

SHA256
003e29a43529f26760e23ae4507b366f2bdaf5b10704028f9c2599551cd54548

SHA512
bbac1ee46beb7b27199713434cc2533dafb9349d2088f3208421c8937c2fcf13318723d84aee9ea4e3d4016cd2dcb8d0bf6d37de7ef16b1ea05c244474d18c96

Download Submit
memory/2852-18-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2852-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2852-25-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2928-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2928-1-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2928-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2928-9-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2928-12-0x0000000001E50000-0x0000000001E5A000-memory.dmp

Filesize
40KB

Download
memory/2928-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download