Analysis
-
max time kernel
89s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe
-
Size
122KB
-
MD5
7b4a875ab88f62fd28eec2985a0d7a63
-
SHA1
ef40e8ade1521c5f9e68d7ac50f7ef8055f68b5d
-
SHA256
768ec8c6fe1bc71cc496c618cfdb12292237a24b90f32d569792000c7fe7fb11
-
SHA512
4d61d5fe5bcb606d779624b671075b593062b6636f6dc4b86dae43343a5fa4c029fd267d2a68c563dcfa3b439cbbeb0ee47bac9b00e3f09c5ad9321571e76798
-
SSDEEP
768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ7uyA36S7MpxRIIXVe3mU9TYwlOBTZ+mjP:gUj+AIMOtEvwDpjNbwQEIPlemUhYpVa4
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00090000000231eb-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00090000000231eb-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
misid.exe2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation misid.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
misid.exepid Process 2028 misid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exedescription pid Process procid_target PID 4036 wrote to memory of 2028 4036 2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe 87 PID 4036 wrote to memory of 2028 4036 2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe 87 PID 4036 wrote to memory of 2028 4036 2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\misid.exe"C:\Users\Admin\AppData\Local\Temp\misid.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD54bdee09290cd2b88218c659bec8e4884
SHA1ea7a22f0ff5b3d74f5e8896486eb3cef96df25a5
SHA2562665bf85735487b0604dfd61d50e267da23794dfe4be005b7cef868031fcc928
SHA5126da506b7de380fade91990a0f66324ed1b19c9551f0974a865f86138bd259844d3612327d51930e318bdb70095fdcf48ab1ed396ffdcc7c737de4a83682a20cf