Overview

overview

7

Static

static

3

2024-09-05...er.exe

windows7-x64

7

2024-09-05...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-05_426db74c60af8e78f6e9edcfaf03e21f_cryptolocker.exe

  • Size

    44KB

  • MD5

    426db74c60af8e78f6e9edcfaf03e21f

  • SHA1

    94cfc9773038fdfb3795dd540c910a617cb19771

  • SHA256

    b6d1620c40da6478ae185b7cf1b84229433dff47eb3fbf73208bbcde2b1f64be

  • SHA512

    60f9bc09e90e642871883b411a69859c5af4ec9f067de739303dd851d36ec183cf8d16faabe418a00950b21f19129cf08378a4ccfb8ff5ad327af15008f7cce8

  • SSDEEP

    768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAqjr+:bCDOw9aMDooc+vAqj6

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_426db74c60af8e78f6e9edcfaf03e21f_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_426db74c60af8e78f6e9edcfaf03e21f_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\lossy.exe
      "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe
    Filesize

    44KB

    MD5

    815e0cf17527f84e1b3836a556d6fac8

    SHA1

    835b89bf28789697abf208c5dc4aa6399068d56c

    SHA256

    4159b6fd49d4e7d21a77fc04dbe232213b0e4c67f5fb20836c41a5886f891adb

    SHA512

    aced8073033c07af7b833b47d449ea16a02d201390201b33923a26d0b25aebea0c45e2ce97272b9824635e0df524ac53b00c845206dba33189d6a96530c31132

    Download Submit

  • memory/2564-0-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2564-1-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2564-2-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2564-3-0x0000000002220000-0x0000000002226000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2564-17-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3688-19-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3688-20-0x00000000005B0000-0x00000000005B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3688-26-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download