f9488718d806ead8fed97836996673d171a1bf9765a4a1e13b6603f7bf8b554f

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe
Size

35KB
MD5

c4f0c3c0df36bf59b308e0f67cc89fd6
SHA1

306fed92075122a51d4ea6fdc761c2fea6e36885
SHA256

f9488718d806ead8fed97836996673d171a1bf9765a4a1e13b6603f7bf8b554f
SHA512

5bf7e8002c2e49cb098af6f97c5c36014b8c6f81b57e5769c0c5913966234cd83e5fc8c25e828ca32329cf892d23d7010cba4aae7f11a2819709102e22e7d41d
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen7cCD:bxNrC7kYo1Fxf3s0cCD

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00c300000001e848-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1140	pissa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 1140	3240	2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe	88
PID 3240 wrote to memory of 1140	3240	2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe	88
PID 3240 wrote to memory of 1140	3240	2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_c4f0c3c0df36bf59b308e0f67cc89fd6_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
35KB

MD5
8bf8bbfe6aecc00df6517fcab9782cfa

SHA1
537dd0f2ba4dd5f305359a3d94ea9010770ee81e

SHA256
17af855fd74ceb049b48537ea68d315fff93b18ac23c9a7154e0bdcedd859f45

SHA512
eb0ddcafc9d15678e05ca72e093a37948fa2b1c845d0ab611bbd5c24af11616124ef9486aaa5e9bda4dcb48e80ea8a7bf92e83afcdfe141f17821b1540f21842

Download Submit
memory/1140-19-0x0000000002020000-0x0000000002026000-memory.dmp

Filesize
24KB

Download
memory/3240-0-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/3240-1-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/3240-2-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download