696a6ce280eb508f930ace17370cd3872512162f3c4058304a977b6c366181e1

Analysis

max time kernel
144s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe
Size

45KB
MD5

29910a0a4f76f4c8825cc203b9f82534
SHA1

cebe81326ea015509b2cab11d9856f5764e55583
SHA256

696a6ce280eb508f930ace17370cd3872512162f3c4058304a977b6c366181e1
SHA512

d6474a8949c5369b226d54cd52c763826a67b119278e12fa493fdfa7b4917ed2244a8b74e276a2e1d26b739c4d6668b8858bad7166eff82986bbb59d6a37c074
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6deMO:bgGYcA/53GAA6y37Q6de

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1960	4364	2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe	42
PID 4364 wrote to memory of 1960	4364	2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe	42
PID 4364 wrote to memory of 1960	4364	2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_29910a0a4f76f4c8825cc203b9f82534_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
29KB

MD5
b47d06696c391f57c5baddf5a96c40fc

SHA1
7a3fa7d050da07c20a36b151a75bbadd76c7b28e

SHA256
79522d9b8cd5019ac15f39e9a31c03b6a1ca7a16557e7470712663a3a0edae12

SHA512
9453d5c7bc872a76b70e75c90fb56450a55be8d5e4e020461f1c5de45085666e97e402cdba09bd507841b1a611dbd3dd515bf3538e0eceab1c28eac36826a451

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
20KB

MD5
f69c50ada79cc6fba855438e384a3685

SHA1
4fa33742f5d1294a313a32abc52deb5c71334782

SHA256
a26c5456a5cef44235ce1bfedcec1f734c838b3a97b856e3f1b23ea88edd96ef

SHA512
b7f8d3348af0b9e19f53d263d604fb4b3921c1a4bb5ef7e32da5d9487239c5e8230170726d11b0a63391eb724a4e076f9296e6180d3c082cd399b36b7bc76ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
01c63c06db9fee5f466b3aacae1a0076

SHA1
87e435e0cbcaabcee0898b56e302a9d82b001e84

SHA256
ab8017f03f730d8e5f62d3db8cd77a2a0f27d16bbcf8697d813d684d70ff9d30

SHA512
be0b24c39c8e9cccd141505766ba9e7b3fa757967c7a8a8c08c08c6a106b9e2d648f336a1020edc5c33ea363bfa9a3c8dab8becde478a513ce88e8425dbfaa8d

Download Submit
memory/1960-17-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/1960-23-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/4364-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/4364-2-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/4364-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download