d5c0a0d3b174f56189fe665120adeac26a86310bd452d0058bca5e8f8b8758e1

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 07:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe
Size

386KB
MD5

e234b2f629ac27f01082c127d87fde0b
SHA1

18a4db5a65a754824b98a251ffbd9b5aa69b7d0b
SHA256

d5c0a0d3b174f56189fe665120adeac26a86310bd452d0058bca5e8f8b8758e1
SHA512

2880f4a897769ccaf6d853bb9904369e0e2e56d9d3b829e3ad923eafae342c3b0a439f4dbaad4309683f8527c5547e5e6b6fc8e0d0ee29af2f02180d2a1ac26d
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXg:nnOflT/ZFIjBz3xjTxynGUOUhXg

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 2 IoCs

resource	yara_rule
behavioral2/files/0x000f00000002324d-12.dat	CryptoLocker_rule2
behavioral2/files/0x000f00000002324d-14.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1368	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1368	2680	2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe	96
PID 2680 wrote to memory of 1368	2680	2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe	96
PID 2680 wrote to memory of 1368	2680	2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_e234b2f629ac27f01082c127d87fde0b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
86KB

MD5
ce4914b06eae91610767eb414a659232

SHA1
96e8f97261c15e791f07758b4e2cdf6ac3035f70

SHA256
ce41f046ed848d7f83f60cc50fbe69f76b42f728874ca1c324c8c44f5ba4009b

SHA512
da8f9ec8bc7d11f9240f07ad036495856c8023c4a04665f1b230f2d35b3996f1e05a0a671cf0cddc702179f3724d262232b3269f4b0ba9795f4b8991ddb7ea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
386KB

MD5
84367b57b22419a0c755de026f4df68e

SHA1
bb1d5a002edddd9e09bba49879d0130ba22b5569

SHA256
25ab6cb7169dacc2fc5f46235150fe48fd477eb58f9a48479eb6ca95b9adeb45

SHA512
813237e205e92213dc03ba0bd1d39a8a63d00d3b91ecbd35de8ca28c6dfb761a79494afe1c993b89d74685d23c9307acffc61d3b6591d41e2b8131f7ef0e7265

Download Submit
memory/1368-22-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/2680-0-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/2680-1-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/2680-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download