95c9d39106b2f46a5782cc1e1f846d667bb1cae26d512c51a96ffe32948da590

Analysis

max time kernel
32s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe
Size

46KB
MD5

c0a553868ed299b1be9373b0180b002a
SHA1

e4b1c530207bbd9585a1271e4a752150057f293e
SHA256

95c9d39106b2f46a5782cc1e1f846d667bb1cae26d512c51a96ffe32948da590
SHA512

1be69b49735928425d168e0f4d0ac2bc3f09e075831aa7e7be71734c80371dcaad9f6a64f6ab16c35fd6533395c278c5cdbe098b3f918c9aea3fb5f95f3e7682
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37YbDu5z/hG:bgGYcA/53GAA6y37nbG

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002325f-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 1804	3572	2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe	97
PID 3572 wrote to memory of 1804	3572	2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe	97
PID 3572 wrote to memory of 1804	3572	2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_c0a553868ed299b1be9373b0180b002a_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
46KB

MD5
bd6284a36978165c8a22cf16967aec9e

SHA1
68e749a59d76af76a5e8b6f0cc80258e46d8673b

SHA256
42d5fadf159758d3fec02eb992d6cac44b35186351cb7a7c269e5af684b5cff3

SHA512
4ca32b2e1d4143c143ec4df29fe86093c4fc82c92076c863b581095c42348da0da9b2c1444fda3f561505e08d69be166cc299af9d77c98b1edcb3671e82d6c8c

Download Submit
memory/1804-17-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/1804-18-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/3572-0-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/3572-1-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/3572-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download