86b3f5eb746325e3acc203d1e496259ff0b85d63ec94fec57e947e6fcfbd454d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe
Size

31KB
MD5

4d0a4a4682ab8d368fa13a64f316776e
SHA1

d14882de5d86183bac986c0754064c37703606ab
SHA256

86b3f5eb746325e3acc203d1e496259ff0b85d63ec94fec57e947e6fcfbd454d
SHA512

8c06ef0c6e4b5ea03694076584e6f75478a144459b0ba8320fae84e13e1cc94ad02722bc9e001171cbd760db691ffaae2697122fa69a1e48a0071b9099483116
SSDEEP

384:bmM0V/YPvnr801TRoUGPh4TKt6ATt1DqgPa3s/zzoCt96Jg57:b7o/2n1TCraU6GD1a4Xt94u

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000d00000002315a-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4344	3984	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	84
PID 3984 wrote to memory of 4344	3984	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	84
PID 3984 wrote to memory of 4344	3984	2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_4d0a4a4682ab8d368fa13a64f316776e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
32KB

MD5
c5d707c6dc5dd2fa8075e31181302c76

SHA1
b775bec975f989c16df0853977746de8051f3c92

SHA256
7caf2d1c1996f5733819807a6934953696f0049e2ffb3460ccff13d4f7cf77b3

SHA512
fea550f89e9a7cf642032030a16ab4330e8810acebe6bd6bf7d87d1ae514bc489e780b2c0b8ada18c3910e2603aa0255b93836acd57aee88368eaab0dd550eb3

Download Submit
memory/3984-0-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/3984-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3984-1-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/4344-19-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download