7ba5b31c6ec6e6a6865666f6f8959c8b8a3d9ca4039b24ad979e48f3e94c2e36

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe
Size

44KB
MD5

a5309804ea9046a884103260458b8f52
SHA1

b271fa4efcf6855cf5bae175b9c0a35d9c191334
SHA256

7ba5b31c6ec6e6a6865666f6f8959c8b8a3d9ca4039b24ad979e48f3e94c2e36
SHA512

f3f51d0e6a067cdae3a9a658efcee685d85c2ce1a62e5c3ddefca2a675c0480cf630d36125227999c050565c695e3c0be7dd0f8b70c122af2c3b1a7efd7a8352
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAIie0LHZ:bCDOw9aMDooc+vAlXZ

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral1/memory/1756-0-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000b000000014323-11.dat	CryptoLocker_rule2
behavioral1/memory/3048-16-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/1756-15-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/3048-26-0x0000000008000000-0x000000000800A000-memory.dmp	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
3048	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3048	1756	2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe	28
PID 1756 wrote to memory of 3048	1756	2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe	28
PID 1756 wrote to memory of 3048	1756	2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe	28
PID 1756 wrote to memory of 3048	1756	2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_a5309804ea9046a884103260458b8f52_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
44KB

MD5
e1e74a7d37a36d7e9fa3ebed22e7b403

SHA1
053140f29c7424b2a56524682e1394964ba62bc7

SHA256
7f507a5b26d349457dc8012b4a2e26c8f8208b2517a605cd0d067bc6e1f6cf64

SHA512
82e0071856441b0dd77a6ff680faa17eace67b611e127648d90bfc28ed4ef79635df21ff2ec353e1acacd007e5c098f1acd31a5f1854c2bb3a25db6dd3f85b49

Download Submit
memory/1756-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1756-2-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1756-1-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1756-9-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1756-15-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3048-16-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/3048-18-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/3048-25-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/3048-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download