e08dbb65038b605f98fa831ca9492f86ed45da3f9783105a6609678cf1eb2978

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe
Size

28KB
MD5

effc87d86eb0ccf798cf4eb4012129b5
SHA1

acfee5878be2e8e9298ed2d158b3bd39729781eb
SHA256

e08dbb65038b605f98fa831ca9492f86ed45da3f9783105a6609678cf1eb2978
SHA512

0ac234bd6a1db585fd21264af0b1ebf87cfbb66feb9c0f2233767ae50d1d8b52d451ee60cf98e39f392cb806dd0b93d11c14ec2fb548ca071810456489cae2e8
SSDEEP

384:bFgFQrdSmuQ8WFqxpj5cpyIuYxVe3FSr+OLfjDp+0g/HNblX7QCOBqB:bFgm5zusFUB2preAr+Ofjg0STX73OBqB

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4340	lossy.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/536-0-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral2/files/0x0009000000023454-13.dat	upx
behavioral2/memory/536-18-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral2/memory/4340-27-0x0000000008000000-0x000000000800E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4340	536	2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe	82
PID 536 wrote to memory of 4340	536	2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe	82
PID 536 wrote to memory of 4340	536	2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_effc87d86eb0ccf798cf4eb4012129b5_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
28KB

MD5
421da2e82ea22767c399d59b0e111504

SHA1
5ca21bfbf60d6f2d8d5f99af7420341be1e2b8cb

SHA256
5bb424a7cebcf5bf602c7aba113b4179b01026ae60f62cd012be17d4ce95712c

SHA512
1456ab296cb8132a096c9f6d5cc21e4380070620a306a51f3669c3a45b4a824b34a982cb7f76a82742f09fedd57b68072a099c859e88bd19dcaa1cb690b70bcd

Download Submit
memory/536-0-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/536-1-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/536-2-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/536-3-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/536-18-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/4340-20-0x0000000002130000-0x0000000002136000-memory.dmp

Filesize
24KB

Download
memory/4340-21-0x0000000002030000-0x0000000002036000-memory.dmp

Filesize
24KB

Download
memory/4340-27-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download