Overview

overview

7

Static

static

3

2024-09-19...er.exe

windows7-x64

7

2024-09-19...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_731e90c74813b81dca2991deda78f4a2_cryptolocker.exe

  • Size

    45KB

  • MD5

    731e90c74813b81dca2991deda78f4a2

  • SHA1

    5134f0451e942f801f966daa29e6658129977861

  • SHA256

    344ed2e27618aa51d3af356c2b0153419549af1ff61e55b04e633d7e88ee0d13

  • SHA512

    d66c179c838f33cf7d062e3e5db1eeb77a578c96a57cfcde99cad368ec4af92b0ce3ae48882701c9c1c06e35fa0020a604b18cedc267d43ed86ca9405cbb018f

  • SSDEEP

    768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAIie0LHumD:bCDOw9aMDooc+vAlXnD

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_731e90c74813b81dca2991deda78f4a2_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_731e90c74813b81dca2991deda78f4a2_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\lossy.exe
      "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lossy.exe
    Filesize

    46KB

    MD5

    cbb50f055a8aba2b99179fcac6a472fc

    SHA1

    34a1f831b4b895759706b08d2ba9e463d713be40

    SHA256

    98cdcce6bdb833b560db65bb51292afc4aea1b846a57c58ee2c64d38ac0cbaa5

    SHA512

    31bc1aa880308105f84cad2355ee13f94492efa54b0b15413c742b34a79acc8980a2f88e5e03b307c916b93d34efc20d828474b5c2abf36ee4573aa6308d867e

    Download Submit

  • memory/1980-19-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1980-25-0x0000000000690000-0x0000000000696000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1980-26-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2928-0-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2928-1-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2928-2-0x0000000002200000-0x0000000002206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2928-4-0x0000000002220000-0x0000000002226000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2928-17-0x0000000008000000-0x000000000800A000-memory.dmp

    Filesize

    40KB

    Download