89deb7c93801fb6ad1a343e0cb5344133e09ca27d8f308362553269643f30b47

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe
Size

4.5MB
MD5

6eb9432f3648130a07a96f3a5ebfda31
SHA1

02ecca996c9e3c734ac933241d5dbcb21869e1d2
SHA256

89deb7c93801fb6ad1a343e0cb5344133e09ca27d8f308362553269643f30b47
SHA512

dfe8f10d055548c2808412d452310330b47ca311861d41ca41b7f677fc0c3b6ba27ba9cf113f96773a44402962ee130b0c8e3d6e132c23889862a645b49d7af3
SSDEEP

98304:g/ZFIjBzldUfs/ZFIjBz7jSZD1tU7ymTV:g/ZFIjBzF/ZFIjBzPEUusV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023201-12.dat	CryptoLocker_rule2

Detects executables built or packed with MPress PE compressor 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023201-12.dat	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4312	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4312	440	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	88
PID 440 wrote to memory of 4312	440	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	88
PID 440 wrote to memory of 4312	440	2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6eb9432f3648130a07a96f3a5ebfda31_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
4.5MB

MD5
273181aeb7694153c5d8dd81d2522838

SHA1
66ea65ef238203bb13ddd503a68f26f088ef4899

SHA256
29278b9d202b64a65df72cb0cb2bcd48813a204e11510ff16d179f7426b43151

SHA512
8376f0482f272a15c83835d40524a7f3e97d3a81918f5dcfc321e735e685a1e3b5b50a4cb037ae485c81613f6dd0d9a1eeeb58d383f62b8717ad1890b0236457

Download Submit
memory/440-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/440-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/440-2-0x0000000002380000-0x0000000002386000-memory.dmp

Filesize
24KB

Download
memory/4312-18-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download
memory/4312-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download