6235233ee22dfe099b41eb07d50c898253adc8a43dd7acce7dcef521fa43b822

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe
Size

79KB
MD5

c65dadfd4e7230db4de48037f3979272
SHA1

10ad9310258cf0ccefc7be7e67ee94a7480d744e
SHA256

6235233ee22dfe099b41eb07d50c898253adc8a43dd7acce7dcef521fa43b822
SHA512

ba2ce7d31cd2a7f93712e8b744d99f5df3c32b30247ff5d7e4456b361973ae04f5222c8ad86a37e537d2d689a6df4ea2d0ccc0bd42f69e8178ffa44b64719b06
SSDEEP

1536:vj+jsMQMOtEvwDpj5HwYYTjipvF2hBfWafHNX:vCjsIOtEvwDpj5H9YvQd25

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f6-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f6-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
468	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 468	564	2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe	84
PID 564 wrote to memory of 468	564	2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe	84
PID 564 wrote to memory of 468	564	2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_c65dadfd4e7230db4de48037f3979272_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
79KB

MD5
4a7abed77a14637a7d7e993d89eeb020

SHA1
afe86a3067373eca5fb98a10deae0bada1869f25

SHA256
ed28b7ab7fcfff68d913947a29b87386ec56836f117d30efd0bd18b09b183b8f

SHA512
d3be52b7f5a3330b46856f77c382035285c40e4293a3fda5a6e434954a31d6a526734f1cba70325b4ca5e72d45e70fc7556cd429458beed4e2870ba9a96760f8

Download Submit
memory/468-17-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/468-19-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/564-0-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/564-1-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/564-2-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download