cf880865d09eb707ac0bdce9a7d36c81e74aaea12efecce960962e6c24c3ffbb

Analysis

max time kernel
165s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe
Size

47KB
MD5

e28715217a1f552dbe20ca0385cc0c6d
SHA1

c5f705305e158f654347a4270ae24abbda5e7c65
SHA256

cf880865d09eb707ac0bdce9a7d36c81e74aaea12efecce960962e6c24c3ffbb
SHA512

b8f32cfcac4a9e86c5f497180491d7f40d428932269609903db977e88bd48bc93fba33432e013a5bf8c5c87e8448cd2d51932b85535bb95330e88132727b01de
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6dIDtTf:bgGYcA/53GAA6y37Q6dIhr

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023336-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2480	4676	2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe	97
PID 4676 wrote to memory of 2480	4676	2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe	97
PID 4676 wrote to memory of 2480	4676	2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-29_e28715217a1f552dbe20ca0385cc0c6d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
47KB

MD5
cedd5dd0d54ed3645024b2dc4e048dbc

SHA1
1283c4dc8d2d964529c4c0da48574720124a579c

SHA256
4c475d11e331e5bde3f800ebaa4cff0458ec83a6662720c415d135b14efd7e08

SHA512
f908c81d7a4c85dd6cab0b1ab7cd36f072bb3beb85796ef00026cefd08da50b8f336f28f9a8e54004b9e80bc888b8fa4910878c93c206067bf7cd790d163c640

Download Submit
memory/2480-18-0x0000000002200000-0x0000000002206000-memory.dmp

Filesize
24KB

Download
memory/2480-17-0x0000000002380000-0x0000000002386000-memory.dmp

Filesize
24KB

Download
memory/4676-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4676-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4676-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download