4ced62f3e001695b6baf7931880cc71478b7baaef24ea1b50be24d88d78b28e3

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe
Size

43KB
MD5

0e18a6dfaa7587a1e78c53dae606e83e
SHA1

c678b09132a8b1b1fb73abc48e22b9081e29b08f
SHA256

4ced62f3e001695b6baf7931880cc71478b7baaef24ea1b50be24d88d78b28e3
SHA512

ed738589af5337c3502f08101d33946b620feb31670e515b85f90c3d010981151eadc4d580005e12c76f7ba8db5963f4aa066f0336d18af95a0db7ee9774ea3b
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6DyE9x38Dab:bIDOw9a0Dwo3P1ojvUSD79Rn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023250-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4700	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4700	3304	2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe	92
PID 3304 wrote to memory of 4700	3304	2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe	92
PID 3304 wrote to memory of 4700	3304	2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_0e18a6dfaa7587a1e78c53dae606e83e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
43KB

MD5
ff5a828f7a4515ab6f8dc4eb71ca722c

SHA1
fbbe6d1bd8d4517d46348ab69670996eb2f23b55

SHA256
c852ca184471fc7592072845d477e9af66dde1d7e126105c514362c6384d345e

SHA512
a4457922da5a875b9555c43ec0ae082afa25c87d2d626332df63541ff984f1ce7de741afff9ad04109b2558d50445fcc4e7e8e5bdeed3d5e8a4857830ef4f2b1

Download Submit
memory/3304-0-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/3304-1-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/3304-2-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/4700-23-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4700-17-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download