76f87c3cb1697a1f772e0234444adaad1ce09a370c3ff2a0c090081a6b668c32

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe
Size

46KB
MD5

85e613403f623a89ce948f66082a9474
SHA1

672d52a2b68c5c9f29a367422481b51f55081557
SHA256

76f87c3cb1697a1f772e0234444adaad1ce09a370c3ff2a0c090081a6b668c32
SHA512

969dc5a27fc915aa1644827bbf63cedc8956f87fcbc8087b3843a9318bfcdd6c60a7ede9b8364901aca9df2d6899472c1c6f114f1c4827e534931a634eff0c20
SSDEEP

768:xQz7yVEhs9+4uR1bytOOtEvwDpjWE6BLtldtb:xj+VGMOtEvwDpjk/tb

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000300000001e96f-13.dat	CryptoLocker_rule2
behavioral2/memory/3224-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4788-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000300000001e96f-13.dat	CryptoLocker_set1
behavioral2/memory/3224-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4788-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000300000001e96f-13.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3224-17-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4788-26-0x0000000000500000-0x0000000000510000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation	2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4788	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4788	3224	2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe	87
PID 3224 wrote to memory of 4788	3224	2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe	87
PID 3224 wrote to memory of 4788	3224	2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_85e613403f623a89ce948f66082a9474_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
47KB

MD5
9fcdbeb9688257d80588c8a8e3048fea

SHA1
939f55a7f5109cbd2a7f3b43e0a704b7e3078b3c

SHA256
46349f095492aec85b01f79df8cebfb47a06c9ae117996cbffbee9b2d215624a

SHA512
3b98f5370400e177972364852a3b27e25316f2a0a8c535e73b545f60b26808327e84af12db8e4fdd8d6d4094cc323a1fc4947c5615469931d70b188fef0960b3

Download Submit
memory/3224-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3224-1-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/3224-2-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/3224-3-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/3224-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4788-19-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/4788-20-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/4788-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download