486c3e4ee6546f07a26ad2bdf41934c97a27b5ee2242fc4452e4acab3feacb46

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe
Size

37KB
MD5

6a3976af618661c489d3117a4ee12646
SHA1

fb1d4518f3fcaacc3d9d902fc5f7accb59b546ba
SHA256

486c3e4ee6546f07a26ad2bdf41934c97a27b5ee2242fc4452e4acab3feacb46
SHA512

026e91bc25278baad9eac667296cc35e5aa6fffd5c17c96004791959a40f90c28d64b1327c439b51a0cea46e4bf7890a8e4714cc85dc8386983cbe7a7bcd94ff
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5cZr/04qXZ:bgX4zYcgTEu6QOaryfjqDDw3sCu5q/8Z

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002288e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1888637039-960448630-940472005-1000\Control Panel\International\Geo\Nation	2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3128	5004	2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe	86
PID 5004 wrote to memory of 3128	5004	2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe	86
PID 5004 wrote to memory of 3128	5004	2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_6a3976af618661c489d3117a4ee12646_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
37KB

MD5
00b73e680176177a3d095d22a51b4e39

SHA1
089ca7f0cf607de67546d91a2e3fec92d027eda4

SHA256
71961728004070a234a2a102fcb42bfa0ed34edae83d83d3febd81c50df3ba79

SHA512
79dae509cdfbbd9497cb2cd7b788b1209c9cb15168df6002a02f5e417b95b236cab42b70bfcb552b2e1d7c090d3d7572fc84a11cca47539977af0d3357858644

Download Submit
memory/3128-17-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/3128-19-0x0000000002200000-0x0000000002206000-memory.dmp

Filesize
24KB

Download
memory/5004-0-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/5004-1-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/5004-2-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download