f42438aab38314f89cf18969b56ec0e98a8bbd0cf30bea48629734430a82397a

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 04:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe
Size

52KB
MD5

7780957b75f684f4f3a066c91fa5b711
SHA1

cf374e68b4e7040df19929f07494e4525619ad4d
SHA256

f42438aab38314f89cf18969b56ec0e98a8bbd0cf30bea48629734430a82397a
SHA512

6c3daba1747ed66f224f99c910cc20130676494964d7071ad3300e27a35119994ee431086c436fe7ec46e9cf07623dcd9c4eaae01a3a54aa4f1cbe79697d9999
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdO5SC:ZVxkGOtEvwDpjcB

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f6-13.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3256	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3256	4232	2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe	87
PID 4232 wrote to memory of 3256	4232	2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe	87
PID 4232 wrote to memory of 3256	4232	2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7780957b75f684f4f3a066c91fa5b711_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
52KB

MD5
46a049576eff481c6fd9927486acbf10

SHA1
4ad2940b0617b71284255fed4e9a1ab03c6827ae

SHA256
442df5b371e762ef5a9da0362b76678b84903e05d2b5834b9ea90ff550d973a9

SHA512
4432b786a541363f0af41afeaa5dd33cef05298cdf567a20f4f64b3667ac14c422b943f101682af174b2fe66f48be6f0e631a8816418b80cc01fc1a41feec821

Download Submit
memory/3256-17-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download
memory/3256-21-0x0000000001F70000-0x0000000001F76000-memory.dmp

Filesize
24KB

Download
memory/3256-20-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/4232-0-0x0000000000490000-0x0000000000493000-memory.dmp

Filesize
12KB

Download
memory/4232-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4232-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4232-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/4232-18-0x0000000000490000-0x0000000000493000-memory.dmp

Filesize
12KB

Download