Analysis

  • max time kernel
    68s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 18:39

General

  • Target

    2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe

  • Size

    68KB

  • MD5

    c0c9fc01162bf59ddf4795f80627b42d

  • SHA1

    bbfdb85b26a23513a54068fb950357ec20340c0b

  • SHA256

    7e431eb2f74ff09e893d439381370eed7929f146a54020c1bb4df943645ac7c4

  • SHA512

    f32547dcaca0e8dc54ac4ef98ff267670c190a7a4a7dc25b98ed3fbb11c020b5e1ac24e63201575f94398956f40f1135b240f4c21e17ff7cd2d3c07be58290f4

  • SSDEEP

    768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ9TDY9:gUj+AIMOtEvwDpjNbPDG

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2022-11-23_c0c9fc01162bf59ddf4795f80627b42d_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies system certificate store
      PID:4212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    68KB

    MD5

    75fbd7d773ae84ca04ad9abcc3e5a82c

    SHA1

    27d811f7e90dd1b2160e3130698a2185434e01b5

    SHA256

    6de3cdf7de7f8a3f5e57bf3406d1b27c7725b18d6ca4ceada064d86e5c2f3a0c

    SHA512

    d3b3a2b1f5938ff0cc9abfaba9666c4e3913d75a785e206a8fe13daa2cd3e5e6704196e22be9df9819b09549d618b7e87fa72b2dd560cd053515cc218891f7a8

  • C:\Users\Admin\AppData\Local\Temp\misid.exe

    Filesize

    68KB

    MD5

    75fbd7d773ae84ca04ad9abcc3e5a82c

    SHA1

    27d811f7e90dd1b2160e3130698a2185434e01b5

    SHA256

    6de3cdf7de7f8a3f5e57bf3406d1b27c7725b18d6ca4ceada064d86e5c2f3a0c

    SHA512

    d3b3a2b1f5938ff0cc9abfaba9666c4e3913d75a785e206a8fe13daa2cd3e5e6704196e22be9df9819b09549d618b7e87fa72b2dd560cd053515cc218891f7a8

  • memory/2328-132-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

  • memory/2328-133-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

  • memory/2328-134-0x00000000006B0000-0x00000000006B6000-memory.dmp

    Filesize

    24KB

  • memory/4212-140-0x0000000000000000-mapping.dmp

  • memory/4212-144-0x00000000004E0000-0x00000000004E6000-memory.dmp

    Filesize

    24KB

  • memory/4212-150-0x00000000004C0000-0x00000000004C6000-memory.dmp

    Filesize

    24KB