Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
-
Size
39KB
-
MD5
53e97dd5c4e5d82ab023e6aa7045487e
-
SHA1
9d0f007c030a37c40dfeb9f895477ca031d1f82c
-
SHA256
97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008
-
SHA512
55a24f91b015c4374b8db4bae78f17dbea161a80c1f9ffff04821c80e95bafdf270157c2a5d7fd395aed3871a41800dd21a4470aa5ee3bbf9f47bcbe97992900
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+qZw7pM:bgGYcA/53GADw8ClqZw7pM
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 3608 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exedescription pid process target process PID 1588 wrote to memory of 3608 1588 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe PID 1588 wrote to memory of 3608 1588 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe PID 1588 wrote to memory of 3608 1588 2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:3608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hasfj.exeFilesize
39KB
MD579d4f336c64449c2fcf225ee3a73b9ee
SHA1e20a603fe363a6061b05c5a6c22cf1b51be7b69b
SHA256c492f4c4ceed311a602dbe5bba80664e1dd76c4e572ef014294f6c4ef4f58c32
SHA512f94530dab1d5c64bc9ec988cfcb4bd63ed52ca2e44ddf94ddf43daf6cab9e093f709df2359aa0a462ee3024f01ee960a95cf96ad1bf4441783b707b980c88fe5
-
memory/1588-0-0x00000000022D0000-0x00000000022D6000-memory.dmpFilesize
24KB
-
memory/1588-2-0x0000000002300000-0x0000000002306000-memory.dmpFilesize
24KB
-
memory/1588-1-0x00000000022D0000-0x00000000022D6000-memory.dmpFilesize
24KB
-
memory/3608-18-0x0000000002110000-0x0000000002116000-memory.dmpFilesize
24KB
-
memory/3608-17-0x0000000002140000-0x0000000002146000-memory.dmpFilesize
24KB