b376e98c7301482f5041c46789cab66ccfb8b750f58f186aab955029402ec876

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe
Size

31KB
MD5

603f50e3e8f647631591d98fb0d14792
SHA1

01416d656c4c54765777fab447d53303c09e5b3c
SHA256

b376e98c7301482f5041c46789cab66ccfb8b750f58f186aab955029402ec876
SHA512

04348cd76fff7de0f5d446ae3c3cbaa271f9d2de8d6ca4f038fc5d13f9d5b1501fa6343ee2136e7a6ce8157db3b5ab4933bf13d8aec28f2f4582426a08c99cee
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt9/Bq:b7o/2n1TCraU6GD1a4Xt9g

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002323f-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2324	5016	2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe	86
PID 5016 wrote to memory of 2324	5016	2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe	86
PID 5016 wrote to memory of 2324	5016	2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_603f50e3e8f647631591d98fb0d14792_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
31KB

MD5
54b0171868c32c68eb3681195b5ca6a0

SHA1
f49499e69679fd690611bd3b11c84f2f5437c44e

SHA256
8593c1d6b496f746358f3d7f42105967a8b0873244ea75d60c23e65906ee1ff2

SHA512
35cf5827b9bddd4a3416f968ae6750051aba04b42b900909896665f53e6ca51b2cda5ce414bc149c0a82e4a4d0f6199649988c3ec10ad1b9d302605bee0eeec2

Download Submit
memory/2324-21-0x0000000002060000-0x0000000002066000-memory.dmp

Filesize
24KB

Download
memory/5016-0-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/5016-1-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/5016-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download