c244cb23afc9995637ba6a4869f2a01d2f1cdae62f8f7889f9343540776f5a2f

Analysis

max time kernel
124s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe
Size

43KB
MD5

b39b845ae75601031c18bb5dbc262fd5
SHA1

ba9fa8e5e8c505fb609de2b394d7b18c542b8c90
SHA256

c244cb23afc9995637ba6a4869f2a01d2f1cdae62f8f7889f9343540776f5a2f
SHA512

2f1a1b5ddccd925146969ed4acdf629b6fd6d439f2243c291caf121f0d6df6ef80844fa73f3d25dfa61441876c0dfa56f9a95b802a0385f8dcdd096131d7eb09
SSDEEP

768:bCDOw9UiaKHfjnD0S16avdrQFiLjJvtAGjrM:bCDOw9aMDooc+vAGjQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2068	2512	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe	30
PID 2512 wrote to memory of 2068	2512	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe	30
PID 2512 wrote to memory of 2068	2512	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe	30
PID 2512 wrote to memory of 2068	2512	2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-15_b39b845ae75601031c18bb5dbc262fd5_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
43KB

MD5
fda5c8c83fd60fb024e8120ff48b3dc3

SHA1
b7d0ed34c86bc896e594cca7bdaf3463a6cbeeb2

SHA256
f175f13a4aa0072b2499480b96a0e0571121b649f0498b3cf73abcc48946aba5

SHA512
9f6dc211748937da1e63f829606f834ce4f974f7a26d409dfaec58060896fcd8ad3cf730d639a11af90759b71de9b5792cf7c9016c6e3c3f958ef900c288c4d9

Download Submit
memory/2068-17-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2068-24-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2068-25-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2512-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/2512-2-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2512-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2512-9-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2512-15-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download