23174968d3a6a4e737ea0f068fe3e920f47c3f6a255128681de0b806788d345c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe
Size

46KB
MD5

a2f08bd281df142300283d5f02b1d7a7
SHA1

b7d4c7842e37c9c96cfd90546ae01456a757c5f7
SHA256

23174968d3a6a4e737ea0f068fe3e920f47c3f6a255128681de0b806788d345c
SHA512

053b7e21db9d00f2b9c792d395539bbe81a618a5a04d1f9a5b7a55b6a8e9c0a8d814ed30b25d5b596a377666ed2fb34daf0ec6ea07b849fe5280bbe0345b4196
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5z/hvvC:bgGYcA/53GAA6y37nbi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002312d-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2188	396	2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe	86
PID 396 wrote to memory of 2188	396	2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe	86
PID 396 wrote to memory of 2188	396	2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_a2f08bd281df142300283d5f02b1d7a7_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
46KB

MD5
50f2c6eb2021d5b64b7b261bd15e47ab

SHA1
e5c4f0646a22fe05b78c30d8ee0a45263d47bba8

SHA256
c657dea9a67312ebee41ca1b5f3fff90563401d3950186a670af2ab6cc257eda

SHA512
988253c587c06521cbc9b940e80d0edc70691abe413b35a5e6389738d1e5c56ab9f56dc835618c8608dc7dabb4a6fb51a5d089fdabe1676e75c2feee236cdadc

Download Submit
memory/396-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/396-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/396-2-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/2188-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/2188-23-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download