ffb3ed8fb0229e1e211e4092d5d5087941e7bea126ebe30560e0fa582fc077f7

Analysis

max time kernel
34s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe
Size

50KB
MD5

b651ef1ef061dad875832062d418e317
SHA1

1a93de8682ded86d6937050c7b2734f40f3bd214
SHA256

ffb3ed8fb0229e1e211e4092d5d5087941e7bea126ebe30560e0fa582fc077f7
SHA512

5ffebb5528f28041f1567fc0bc0a4c3d590c163425952d54d907d1fbef8d2f9624a791f86f70fa3c08140f58e9383f581829fbac21c0e32d27875627cdd1bf98
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6D8jnPx9UnuDLlD+JIr:bIDOw9a0Dwo3P1ojvUSD4PInyDk8

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002328e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3780	1116	2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe	82
PID 1116 wrote to memory of 3780	1116	2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe	82
PID 1116 wrote to memory of 3780	1116	2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_b651ef1ef061dad875832062d418e317_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
50KB

MD5
9e5364e7bf828a08549a61dbea4fd820

SHA1
de3fdd8128276d9897dcb0d638d3aafde987560a

SHA256
5984c3de640c997a8ec32e0692ac3be2206d602c0c26a6f7c79d88f5fb5ce5a1

SHA512
ce89952d801ed90753b40a9116c8a5ba73f993b9b13e2f3a7546308c98783e161a6d1790a7f2766d64c85964ac33a344c7e412cc063ddd09c228fbafc8a9bacb

Download Submit
memory/1116-0-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/1116-1-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/1116-8-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/3780-17-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/3780-23-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download