0b6543f30bab3b0da4b6169aa586703c69caec43d8ee2a04a8ade4ca289f2921

General

Target

2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe
Size

56KB
MD5

97ea5652ba756ddc9330356658a4cb83
SHA1

441dabe2e64a31fe388d95df290f45416219b860
SHA256

0b6543f30bab3b0da4b6169aa586703c69caec43d8ee2a04a8ade4ca289f2921
SHA512

109d3e1146e5d5d10aefb085197c5d3e98bec1e98cf050bb00cd27c02d70c536085653ad363d5035bf67da980a3bf3ae4f986284b02d61e9911350029220de6a
SSDEEP

768:zQz7yVEhs9+syJP6ntOOtEvwDpjFeV0ZOfcpyF:zj+soPSMOtEvwDpj4yo

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral2/memory/1640-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000e00000002314b-13.dat	CryptoLocker_rule2
behavioral2/memory/544-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/1640-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000e00000002314b-16.dat	CryptoLocker_rule2
behavioral2/memory/544-57-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral2/memory/1640-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000e00000002314b-13.dat	CryptoLocker_set1
behavioral2/memory/544-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/1640-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000e00000002314b-16.dat	CryptoLocker_set1
behavioral2/memory/544-57-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/1640-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x000e00000002314b-13.dat	UPX
behavioral2/memory/544-18-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/1640-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x000e00000002314b-16.dat	UPX
behavioral2/memory/544-57-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
544	misid.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1640-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000e00000002314b-13.dat	upx
behavioral2/memory/544-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1640-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000e00000002314b-16.dat	upx
behavioral2/memory/544-57-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 544	1640	2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe	17
PID 1640 wrote to memory of 544	1640	2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe	17
PID 1640 wrote to memory of 544	1640	2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe	17

C:\Users\Admin\AppData\Local\Temp\2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_97ea5652ba756ddc9330356658a4cb83_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
46KB

MD5
5031861b45400e46f69076e036823ac6

SHA1
a734b25221406146eacb171a21f09e06eec68294

SHA256
f10885952a18868c6f5d9ed20a2986e0fe87b731231d11170273ab9d4e08bf9c

SHA512
02f1bbf4d17605cc24946a616b284a0337870f8c3cd73a2d3bf426ed88f5d43f712b779f4aff116dabb1dfa024f0ce185d43bcba0c316ffc8de929cbbe5784e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
56KB

MD5
588eef096537deefe1d27f640cf8f792

SHA1
ced275900fe3c783758080ea0d819b44170f49cb

SHA256
fee8bea983b982974c5f6f9dd452b615974d91475fb90459a3562b34d55a78f8

SHA512
e61a84f540df5f7d95b47468f86bc59d8241b7515b4c7fabd6198661b2899d6dd9e3b8f20767a6777bbf8251eac6de1253f481cc1db4211b8384c53a3b949cd5

Download Submit
memory/544-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/544-20-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/544-26-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/544-57-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1640-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1640-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1640-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1640-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1640-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing