72679ff4d1e53bc75619eeb98730a84375246192c019ca1f40eb1703847ce7d4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe
Size

26KB
MD5

c9a13d6062fa5095ba3136674cfae896
SHA1

8c8ccfb6f3e6991cf152670376f0703bafdabd78
SHA256

72679ff4d1e53bc75619eeb98730a84375246192c019ca1f40eb1703847ce7d4
SHA512

9263c28fa6ce4e14d6b43332f69a081a2663431da6e316b610db745c3e9d4735e9195a0239272e8591a78efba9c63f786daca6db8a8cc84c9fae4621a438b947
SSDEEP

384:bIDl1ovmXAw9PMDREhi9OUSPlRxMc/cip7IAfjDb4H0g/HNbN:bIDOw9UiaCHfjnE0S7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2280	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2280	2100	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe	31
PID 2100 wrote to memory of 2280	2100	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe	31
PID 2100 wrote to memory of 2280	2100	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe	31
PID 2100 wrote to memory of 2280	2100	2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_c9a13d6062fa5095ba3136674cfae896_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
26KB

MD5
3624039cf2762458eeba078f4184dab9

SHA1
ce28524b9b9ae7f61e1399d6beb266593c6492d4

SHA256
7857098076dd49b1516fb49439b29c3d2e3ad6f66aff7e004c5ab490e5891834

SHA512
0247b37a8c110f71acead5aa04fb080cf6da726ac72e53e1da2d121163facca0c62575ac4b3dc427ac73f8c32b07ee53f01146ee19cae4d053c32ebae0e172ae

Download Submit
memory/2100-0-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2100-1-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2100-8-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2280-15-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2280-22-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download