1dbe7fbe573e2b0cccfd4b99578115302a6569ece261a61ae18fdfd1691384e3

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe
Size

48KB
MD5

adb36e881dff9421ec77d19eec131375
SHA1

43f224e6c98cb321540fce1eae0d5a77690c0e7f
SHA256

1dbe7fbe573e2b0cccfd4b99578115302a6569ece261a61ae18fdfd1691384e3
SHA512

4fba72a4137864b65239c035bdbdec108963716f4a59649e6d76903294cc690758d29361f8fae1ea76a35f817404bfc85a50cca8b79ad8b062645a8665fd50ca
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6D8jnPx9UnuDLlD+1:bIDOw9a0Dwo3P1ojvUSD4PInyDo

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001441e-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2252	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2252	1968	2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe	28
PID 1968 wrote to memory of 2252	1968	2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe	28
PID 1968 wrote to memory of 2252	1968	2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe	28
PID 1968 wrote to memory of 2252	1968	2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_adb36e881dff9421ec77d19eec131375_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
48KB

MD5
18b8428211bb1f9ed1a38001dce496da

SHA1
0cbb00f3ed3434bcacfa899303e0a56b7ae844da

SHA256
36dc8f68c0a04eeb51a5d35629d1639f42bc0008e07d0845be8725d22b7a672a

SHA512
b05a94816cf4cbb8b04ac5ae1cdfd6b70787d4d87c3cf79da01d272e833e614bedc1972d8f96609bae2b5158fbe56db87b23fd5607e8e857c337e525505cfe0e

Download Submit
memory/1968-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1968-1-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1968-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2252-15-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2252-22-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download