2d9de032a39fb5cdbd4c1aa617768131f995c146d643053207f66e686419db44

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 11:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe
Size

50KB
MD5

d5acc9474e1f53f4ee4fb978097b0aef
SHA1

3efe4fcd5db83b4ebb2fe03c9c045873aeb93afb
SHA256

2d9de032a39fb5cdbd4c1aa617768131f995c146d643053207f66e686419db44
SHA512

e27e15223995807e9d66a6a88fb90ddf6f7bb520d40e40e0c83526582baa557d3dc2729885dae3c22d2767d7663e1e59198b3c36259edc263ae49d97ac95f2ad
SSDEEP

768:bIDOw9UiaCHfjnE0Sfa7ilR0p9u6p4ICNBCXK9H:bIDOw9a0DwitDZzU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	lossy.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lossy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2344	2064	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe	31
PID 2064 wrote to memory of 2344	2064	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe	31
PID 2064 wrote to memory of 2344	2064	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe	31
PID 2064 wrote to memory of 2344	2064	2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_d5acc9474e1f53f4ee4fb978097b0aef_cryptolocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
50KB

MD5
2765c312011d4971c8b236d0a2c3da15

SHA1
1429cdf08985d33500bfb24ff9252fc9f50a28b0

SHA256
387f98b369303070a650673fd7f5446faff836d361da26041db0d8cd78ca3031

SHA512
42e50f2b2749d2ccf5402bb3079b3d5f066f4aa94460dcf0c5962b92f024c4bb033e78411729b42a6e7e46e9e5cc5892dfc7d1680c88b2caccc6599818f7c77c

Download Submit
memory/2064-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2064-8-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2064-1-0x0000000000580000-0x0000000000586000-memory.dmp

Filesize
24KB

Download
memory/2344-16-0x0000000001C90000-0x0000000001C96000-memory.dmp

Filesize
24KB

Download
memory/2344-15-0x0000000001C50000-0x0000000001C56000-memory.dmp

Filesize
24KB

Download