Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe
-
Size
41KB
-
MD5
d104ff42f4a3e1802c80dd2e6ee96a85
-
SHA1
f4def39f80375602d6c2999dc2f5254093aec73b
-
SHA256
546518a648c254cfa95299873e9c6872827b064447fc47f6b50e8c78d7d97bdf
-
SHA512
2f6281e59d74f54e5d6ae6c67bb02422da5b1fae53b34921fe3b26796b1576f00b296920f08fcf8fafa7bf1c4f4d5f1b3c21a8cfd2c5bc224a0301ee2b202f85
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbD4Is:bgGYcA/53GAA6y374s
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 4940 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exedescription pid process target process PID 5100 wrote to memory of 4940 5100 2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe hasfj.exe PID 5100 wrote to memory of 4940 5100 2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe hasfj.exe PID 5100 wrote to memory of 4940 5100 2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_d104ff42f4a3e1802c80dd2e6ee96a85_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:4940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5f23f74262b9adeb6e30d1c7cc667f560
SHA1b2da9ba02bdb7bd841827493f34eea63a6151f66
SHA256e44788954d40a114a54d4b72e3f0a8222501da241dd737c2064090c8ee6d4c9a
SHA512a41f6be988bc33fb67242c926d8273836390428012255872a26f5082a23bbcdbaa695b61c60704697e07a42701a2eb6b9b35e97daca8c2a20aa295f92c5bc209