930556536142c3fc94dcf6f2fd391c53cadbaeaeb456ed169decfab0a43be7b1

Analysis

max time kernel
83s
max time network
84s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 00:47

Sharing

Copy URL Twitter E-mail

Reason

Task went missing from backend

Report Analysis Logs

General

Target

2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe
Size

5.5MB
MD5

a03e40f68e8c0cc7ccf006db3db649e4
SHA1

8d681614af983c2e5e590e65035f139139665bb6
SHA256

930556536142c3fc94dcf6f2fd391c53cadbaeaeb456ed169decfab0a43be7b1
SHA512

8bb26b76393cbd9c01225f47e103e7f5fa78930e9c63c251b302a265e9625b3757b1c0bdedce5b800b6ed7fcb6f308dc8f85569e77f13a5bafc6dc7c4a4021e8
SSDEEP

98304:ot1QKvyjzO6B3DenIMmzyxD++XsBq+JUieGNt3sB/a1Ed9m+Ufl:otTvgz73XMpxDbcwYvt3sFa4Ol

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2096	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe
2096	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2096	3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe	30
PID 3044 wrote to memory of 2096	3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe	30
PID 3044 wrote to memory of 2096	3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe	30
PID 3044 wrote to memory of 2096	3044	2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_a03e40f68e8c0cc7ccf006db3db649e4_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
5.5MB

MD5
bca642f20c202d325c5f86bf9a7483bf

SHA1
ef9170652ac3a6142bc48858cd8a2964924249c7

SHA256
59271f08d11897766fa342e3a54d8aa8c0f6be99824f0099ae16262654d69ef4

SHA512
5279595265bee57f44fbd19e33bac9e8f410f4d9cdbbea55013369392c47f179db5bcf1e7ad90ddc6457073e22dfee0f5925cab15b6c006333d3f001d5c6e1fb

Download Submit
memory/2096-24-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2096-35-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/2096-42-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2096-41-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/2096-33-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3044-0-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-17-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-22-0x0000000003340000-0x0000000003BC4000-memory.dmp

Filesize
8.5MB

Download
memory/3044-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3044-25-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-26-0x000000000800A000-0x0000000008303000-memory.dmp

Filesize
3.0MB

Download
memory/3044-6-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-7-0x000000000800A000-0x0000000008303000-memory.dmp

Filesize
3.0MB

Download
memory/3044-9-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/3044-16-0x0000000008000000-0x0000000008884000-memory.dmp

Filesize
8.5MB

Download
memory/3044-8-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download