03bac9d94c25ae03b95187551797e6755aad62bd786983b38a57fa82953400d1

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe
Size

47KB
MD5

c94aa63e0795bdbf29f5404202d71b97
SHA1

c84f92e61f1b29647d1bce282a1e331d48ec2a0b
SHA256

03bac9d94c25ae03b95187551797e6755aad62bd786983b38a57fa82953400d1
SHA512

f29d4e03c32bf33428227776020f4811b65e0930a31714b19dbf192f407522f90cc1b7d17f72c491927983fe09dd2864a9ab0520bfb224d77195ee1b7fd04868
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6dd3LcjA:bgGYcA/53GAA6y37Q6dd3LOA

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231f0-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1380	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1380	2184	2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe	87
PID 2184 wrote to memory of 1380	2184	2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe	87
PID 2184 wrote to memory of 1380	2184	2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_c94aa63e0795bdbf29f5404202d71b97_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
47KB

MD5
bf24c714351b75f52acf24757a1166a3

SHA1
e92cf04d8b91429e534d944225088a5b8e580bae

SHA256
3832ce0385effea24931e073006e0c99ce04de04a08d74c53adeae5727ef2d67

SHA512
326f0531d80e544402286754df5313b78a50228854dc33351e00a21bf661043575bfb44696a2756f17a8f1bd2e98e3295bdcd8a2c2088f4d79e3f907e3886c57

Download Submit
memory/1380-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/1380-19-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/2184-0-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/2184-1-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/2184-2-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download