8b061ed1a60a7c448816cb86396b9a621115a7dfcae00beaf8eb8597ae310a54

General

Target

NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe
Size

30KB
MD5

ab2b536f105067b8323e4efa13eecdd9
SHA1

fd428fcd26fe74a6d7a168b9d251528987da859d
SHA256

8b061ed1a60a7c448816cb86396b9a621115a7dfcae00beaf8eb8597ae310a54
SHA512

80839ba1444bf496eb6158efb08d45b9675da003a059be7b730c16899c64db31a9077bf614abebb0f7899224b33c865b06ce17a6e12afa0b43cf8c3a2d2fc546
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunexRl49y:bA74zYcgT/Ekd0ryfjPIunYL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3992	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4236	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3992	1212	NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe	89
PID 1212 wrote to memory of 3992	1212	NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe	89
PID 1212 wrote to memory of 3992	1212	NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_ab2b536f105067b8323e4efa13eecdd9_cryptolocker_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3992

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
a3a074248449a1822c70cdc8c831ac07

SHA1
c9773992a89561b39acdf4e950b38ff64dc66af0

SHA256
9e8d4ff34897a3d007d857f58ca88ea8f784fff1e8dfbfd4956e1b214a9777ce

SHA512
e9178b10e61f251c4f2a28b99de1bbd8cd625de9362c8642cc8f3ee59d55fb61d535db4e6ecbb444a2f9045aa5d84827f0545227308315210060b94530b54cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
e98354561050d6a6935f17cfd6143b65

SHA1
0eb11228e0284c86fa2ce56ed59731328bb44a82

SHA256
ab29dffc5715fcfa18fcaf78f926b262d5ee3a5c87970d316b48a775260fe371

SHA512
0b494828622dfe0c7530108f671e8920681f2130c54dad382fe740b3f2c3597d53696d05410a1433c8056150b7732c3caf5608990dd0dd0caf4bb5363fd1d75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
e98354561050d6a6935f17cfd6143b65

SHA1
0eb11228e0284c86fa2ce56ed59731328bb44a82

SHA256
ab29dffc5715fcfa18fcaf78f926b262d5ee3a5c87970d316b48a775260fe371

SHA512
0b494828622dfe0c7530108f671e8920681f2130c54dad382fe740b3f2c3597d53696d05410a1433c8056150b7732c3caf5608990dd0dd0caf4bb5363fd1d75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
30KB

MD5
e98354561050d6a6935f17cfd6143b65

SHA1
0eb11228e0284c86fa2ce56ed59731328bb44a82

SHA256
ab29dffc5715fcfa18fcaf78f926b262d5ee3a5c87970d316b48a775260fe371

SHA512
0b494828622dfe0c7530108f671e8920681f2130c54dad382fe740b3f2c3597d53696d05410a1433c8056150b7732c3caf5608990dd0dd0caf4bb5363fd1d75c

Download Submit
memory/1212-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1212-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/1212-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3992-18-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/4236-59-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-64-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-57-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-58-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-40-0x0000026AF9480000-0x0000026AF9490000-memory.dmp

Filesize
64KB

Download
memory/4236-60-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-61-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-62-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-63-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-56-0x0000026AFDA70000-0x0000026AFDA71000-memory.dmp

Filesize
4KB

Download
memory/4236-65-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-66-0x0000026AFDA90000-0x0000026AFDA91000-memory.dmp

Filesize
4KB

Download
memory/4236-67-0x0000026AFD6C0000-0x0000026AFD6C1000-memory.dmp

Filesize
4KB

Download
memory/4236-68-0x0000026AFD6B0000-0x0000026AFD6B1000-memory.dmp

Filesize
4KB

Download
memory/4236-70-0x0000026AFD6C0000-0x0000026AFD6C1000-memory.dmp

Filesize
4KB

Download
memory/4236-73-0x0000026AFD6B0000-0x0000026AFD6B1000-memory.dmp

Filesize
4KB

Download
memory/4236-76-0x0000026AFD5F0000-0x0000026AFD5F1000-memory.dmp

Filesize
4KB

Download
memory/4236-24-0x0000026AF9380000-0x0000026AF9390000-memory.dmp

Filesize
64KB

Download
memory/4236-88-0x0000026AFD7F0000-0x0000026AFD7F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing