b1c9c340c07d9053d8f2d1baa245d017e861c94f123c23857201349090e1c093

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe
Size

49KB
MD5

e4d4a2c0d14559aadb6ba1977b781d49
SHA1

d6b152aa3f8f259b7c47b96cfa34c2d6c219dfaa
SHA256

b1c9c340c07d9053d8f2d1baa245d017e861c94f123c23857201349090e1c093
SHA512

818c1accdf749f187ef3b9a63a4b8e718dddf023be22b99efb58d804683273e94e037fc2c82c9c0bae3deecf2c2440754379193543a1cc04995bf1f082a4d644
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6D8jnPx9UnuDLlD+w1:bIDOw9a0Dwo3P1ojvUSD4PInyDP

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120ff-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
3068	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
1116	2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3068	1116	2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe	28
PID 1116 wrote to memory of 3068	1116	2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe	28
PID 1116 wrote to memory of 3068	1116	2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe	28
PID 1116 wrote to memory of 3068	1116	2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_e4d4a2c0d14559aadb6ba1977b781d49_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
49KB

MD5
45c11bfe8255a3f9ff6343c78ecd26fc

SHA1
1efc5bd762922deb0672d3c6a872d225a0775679

SHA256
938522900dd76cbdb86646633b1e3d66add80ac6c4e229c8a0531435f0f02c32

SHA512
3758808132b3a5c98a029dcce9b90d5db02bb4031831d5c745f2db786cc09e52d8ecc35df2637033f23cef48a4f5b5d2af9ccc50d4ec5861b36fb4995484aefa

Download Submit
memory/1116-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1116-1-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1116-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3068-22-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3068-15-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download