Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 06:54
Behavioral task
behavioral1
Sample
2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe
Resource
win7-20240708-en
General
-
Target
2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe
-
Size
54KB
-
MD5
f459ef07352f95b531be627d3a17c2c9
-
SHA1
0c5b2a2c708c9553f2c91ff0901ee97701d45fa4
-
SHA256
b6fad117825b6ceb6a7144af33d5bf4f0a22039751bf197b02d3e03179af38e0
-
SHA512
20c90dba850c27764235c3511ff50d5e1efa8003bc57d0d79b37ff912208252c31ac2ce407586864cf56e820e7b188a1e929eb596b069903f9bf9c911771af7e
-
SSDEEP
768:bODOw9UiamWUB2preAr+OfjH/0S16avdrQFiLjJvtOun:bODOw9acifAoc+vx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1928 lossy.exe -
Loads dropped DLL 1 IoCs
pid Process 2324 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe -
resource yara_rule behavioral1/memory/2324-0-0x0000000008000000-0x000000000800F000-memory.dmp upx behavioral1/memory/2324-14-0x0000000008000000-0x000000000800F000-memory.dmp upx behavioral1/files/0x000900000001225f-11.dat upx behavioral1/memory/1928-16-0x0000000008000000-0x000000000800F000-memory.dmp upx behavioral1/memory/1928-26-0x0000000008000000-0x000000000800F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lossy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1928 2324 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe 31 PID 2324 wrote to memory of 1928 2324 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe 31 PID 2324 wrote to memory of 1928 2324 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe 31 PID 2324 wrote to memory of 1928 2324 2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_f459ef07352f95b531be627d3a17c2c9_cryptolocker.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\lossy.exe"C:\Users\Admin\AppData\Local\Temp\lossy.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5f61ed601cf94a6d95cd32bf33638522b
SHA1a330fd2f87898dd84917a4f23868a69f5f016b6e
SHA25647ada7a88ed48365d1dbafcb534aeb7962e9bbb504d34cf72aaea5e3d50170ed
SHA5123d7fabcf533264b4dcc2a167d7dfc329ff1e36d4a99e88029455498322283dfeecbc9c73c1bba0ff74fc32111f4a1c5bac4dd58986244c7ecf36a876c31f41e3