073884091c92ecdbadd1bc4691c632f6e1ff183cac2f008cdc620df7ead47d58

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe
Size

43KB
MD5

bbdd20a45f5754553313da8e20c6a3e9
SHA1

833b95c8a3b227fb95828ad38355c1ed903c5b18
SHA256

073884091c92ecdbadd1bc4691c632f6e1ff183cac2f008cdc620df7ead47d58
SHA512

d8ec3e8242fa7ce2c941d3489de6505f7d5a2a47a15fed414333f80d1f76947fd4c44c05f1318eae21f0b853fec4d69c080ce5ce1137fc3186126137aa8c5b90
SSDEEP

768:b7o/2n1TCraU6GD1a4Xcn62TUdcuQlqJ51mwov3:bc/y2lm6Y0AqJ51mwov3

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023235-14.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4392	4348	2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe	92
PID 4348 wrote to memory of 4392	4348	2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe	92
PID 4348 wrote to memory of 4392	4348	2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-29_bbdd20a45f5754553313da8e20c6a3e9_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
43KB

MD5
f8212ca63a0294470e18fa6526dcf326

SHA1
6dd0c439eaaaeccd76a210d126b20426addde1fc

SHA256
5e57f5d80bbd9e2b8629c9a60674398b83b1dac530a76a6ee09a300dbf285990

SHA512
42063a8f1c0d2d6c407f1bfbecb7295b0b49b7b5b17a86c13fdae78e1eed99f506a90a90f4f65fa5f6cdc04fcdd2e9a9012e9aac896137dbb228121e2af57f2a

Download Submit
memory/4348-0-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/4348-2-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/4348-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4392-22-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download