a0debfc84156e23269fcc1c8073da65b701c0f941fa9b459d7e1add0ed1f8574

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 23:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe
Size

384KB
MD5

3515862b66421fb63e542fa8b805e82e
SHA1

d44932cc1137249f5eca53826acd9b37a9e45e92
SHA256

a0debfc84156e23269fcc1c8073da65b701c0f941fa9b459d7e1add0ed1f8574
SHA512

54c34a93d52bd645327fd61ba0b037adbe93ee0e2ee1ad020ce9d55a408c48038552adf47e556fa89f1fee26583800645699eb479d461ee60df170e8c2e553c4
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzX1:nnOflT/ZFIjBz3xjTxynGUOUhX1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023192-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
216	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 216	1400	2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe	85
PID 1400 wrote to memory of 216	1400	2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe	85
PID 1400 wrote to memory of 216	1400	2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_3515862b66421fb63e542fa8b805e82e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
384KB

MD5
fed7947864a1012999324f8cb5346dbb

SHA1
84a0bbac6d7301814b28f67e90002474e9ba2b64

SHA256
2f018297c6b94a108120346a8c627352b90b11047911d53b8477c9e4ae92c989

SHA512
1f7f658a6fafdbb830a5a0ace67e6c95ab865081f7b4cfbb02576056fbe6aed4758ef80f9d6974727f8c58463ef33ba909e6cd274011b8f67fd795c2d123f60f

Download Submit
memory/216-17-0x00000000022B0000-0x00000000022B6000-memory.dmp

Filesize
24KB

Download
memory/216-23-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/1400-0-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/1400-1-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/1400-2-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download