baa615277dcd2bf722f0e4c6505b9621fe320a541cce8653b8ff1e9b32bc4de7

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe
Size

85KB
MD5

893ae78e64da7b7a4b659a757ba4a09b
SHA1

120dae6cd45b3c6042cc130e22c069441c7c72e7
SHA256

baa615277dcd2bf722f0e4c6505b9621fe320a541cce8653b8ff1e9b32bc4de7
SHA512

eefed70d5034344a519af0c967a392100f5bb11c26f683e70327b73e7cae28c3aa3257384443cfd88994de86fffeab8d4f08cae2767a123a09f33ce4484ba3da
SSDEEP

768:XS5nQJ24LR1bytOOtEvwDpjNbZ7uyA36S7MpxRXrZSUfFKazNclMjNUvxpRm:i5nkFGMOtEvwDpjNbwQEI8UtzNcO8E

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/484-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2
behavioral2/memory/484-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/348-54-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/484-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/348-54-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/484-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Local\Temp\misid.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/484-17-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/348-54-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exemisid.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

348 misid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
348	misid.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe

description	pid	process	target process
PID 484 wrote to memory of 348	484	2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe	misid.exe
PID 484 wrote to memory of 348	484	2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe	misid.exe
PID 484 wrote to memory of 348	484	2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_893ae78e64da7b7a4b659a757ba4a09b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe
Filesize
85KB

MD5
1e0120c7fc719cc53c4fb3472bd1e15b

SHA1
0d2d78049dc05f869090c0d3009a8a561dd01c7a

SHA256
9282ef072df8d7f2fcb690189b33643bc8e06fdb6ccc777de4d752e17c9b29bf

SHA512
cabc00625d26c3040d748f03b2b4fe71acbf7f3a3d3f04f5d9c80e5e39b1eff91f9ba17d410f7aaa152700f1b513eb7fea145860987878c727c11e55d21ecb7c

Download Submit
memory/348-19-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/348-21-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/348-54-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/484-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/484-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/484-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/484-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/484-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download