00f35eb22416ab9f126697c7227c857155c4645e474f00584f5b2abd2a97a3e5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
Size

45KB
MD5

13eaf2f3080d0b45d0e204dac6866f79
SHA1

30d93273e8554782d243655eb396ec5ae248bc04
SHA256

00f35eb22416ab9f126697c7227c857155c4645e474f00584f5b2abd2a97a3e5
SHA512

986146905c3f79de2622aba6b38ab8e4b376429da974f78f606b6560c7a023315b5d0f39668af7d2488628db7f096c6659bf4c6901fdb1983039732cc5217f1b
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsk:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ12

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023206-13.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4132	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4132	4756	2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe	89
PID 4756 wrote to memory of 4132	4756	2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe	89
PID 4756 wrote to memory of 4132	4756	2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_13eaf2f3080d0b45d0e204dac6866f79_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
45KB

MD5
396c3dfcf7d13988bea46e7c0bf0b9ff

SHA1
00aad7fc3d2e094b50ab135bad221b9f6ff70b2a

SHA256
552c57f0f8fa7fb90cfdfd1095cd3e9cf0f854578679f64dc518a84f609912c2

SHA512
644f4c60bef44730c8dc050c52a56830a33d3e27c7f2252746a9196d712475667d2d569d53f34d86134433d8ee623783556e93f230f8c18ea226e443d6cc07e8

Download Submit
memory/4132-17-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4132-20-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4132-21-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4132-27-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4756-0-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download
memory/4756-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4756-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4756-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/4756-18-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download