6f26bbda6818201ddb4d9222d067d6e30c7d3bbffc0465d6b953756c9b4cd831

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 23:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe
Size

28KB
MD5

2d3d756f27a5a492ebedc49a459ea6da
SHA1

25c30f73199587f8004a83c795ba91233509c421
SHA256

6f26bbda6818201ddb4d9222d067d6e30c7d3bbffc0465d6b953756c9b4cd831
SHA512

cd3400d065612c051e23fff6fdcd56c7f251d358e4522384d2cf498aa4ea7a6cfee1568a0899c0367a4b773b97e974ef9d294b84fe6b4e14d38fa1bb7101b219
SSDEEP

384:bFgFQrdSmuQ8WFqxpj5cpyIuYxVe3FSr+OLfjDp+0g/HNblX7QCOBqZy:bFgm5zusFUB2preAr+Ofjg0STX73OBq4

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-0-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral1/files/0x000e000000012014-11.dat	upx
behavioral1/memory/2748-18-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral1/memory/3024-17-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral1/memory/2748-28-0x0000000008000000-0x000000000800E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2748	3024	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe	30
PID 3024 wrote to memory of 2748	3024	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe	30
PID 3024 wrote to memory of 2748	3024	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe	30
PID 3024 wrote to memory of 2748	3024	2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_2d3d756f27a5a492ebedc49a459ea6da_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
28KB

MD5
79ad3f74dfd196b8b93b2f72f8428bb8

SHA1
97de73f876cabe69b596190ee653555510ccedee

SHA256
7ae24d9884c3f5cedc12897992de0f56cf24f5f49ea665824acc383e431460aa

SHA512
01ea03203c2458e53800cb124cc7a66961aa99dd2da1888e7aadcae283935435750d5d4e2977bdd2207da5a8b2d09ad171096c5eee3e76d100555a90d13c577e

Download Submit
memory/2748-18-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/2748-20-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2748-27-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2748-28-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/3024-0-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/3024-1-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/3024-2-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/3024-9-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/3024-13-0x0000000001F50000-0x0000000001F5E000-memory.dmp

Filesize
56KB

Download
memory/3024-17-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download