f2d7dae376f8b50969ace151ddf7a9c7485062524315e22a362ab65125adb362

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe
Size

29KB
MD5

8db0f9143cfabf24e6e54c6fb320d07b
SHA1

e9c1f68ff5a880f9fd7b01d6940358fecf262af9
SHA256

f2d7dae376f8b50969ace151ddf7a9c7485062524315e22a362ab65125adb362
SHA512

7a23b277c10ac59506fe27893f7fb6ec5383d8683d73f5db6f8648d76f3ec22726c4ccd1faf57ffe5fd35f23086d9233d623f15f710a3b622587e6823e85288e
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUr766SJ5S+zr:bA74zYcgT/Ekd0ryfjQRSnrf

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320d-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4984	4932	2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe	84
PID 4932 wrote to memory of 4984	4932	2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe	84
PID 4932 wrote to memory of 4984	4932	2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-11_8db0f9143cfabf24e6e54c6fb320d07b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
29KB

MD5
e0fdb7fa5866c98982b36b5c34b5ebff

SHA1
4fbad8f094164d1aa580cfb9f19d51d41955e240

SHA256
cbb23d6c1e308d7aa97514e3df32a021e53312dd3c165b132e273a6513563d3c

SHA512
cbada1ddf40119d69c50b1ed7e626653b9a17d8905828e53d6d8fd2b761747352373f05cae61a9aa1724ff893d119e83f2e6851972015c79a177ead5d4f07334

Download Submit
memory/4932-0-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/4932-1-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/4932-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/4984-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/4984-20-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download