6fc6cd8274cc38d1e8e8d36e1b281ef5968528a32a27c658da7d681c0be8c44f

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe
Size

38KB
MD5

8c55f5c928abae7f4c9f80c7fb5ce209
SHA1

501f82d7ed8398e0aa5c939dc0a741331358701b
SHA256

6fc6cd8274cc38d1e8e8d36e1b281ef5968528a32a27c658da7d681c0be8c44f
SHA512

a6f099288b84cb3d0792a65e760777f1424c28503fd9d3dc926ff8535926832586ff0d5b8ac7eba69d6ce96c3103fa5cc5dfb9abc21538cbda914a1d0b66e9b7
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3sp8u5cZnfX2O:bgX4zYcgTEu6QOaryfjqDDw3sCu5mX5

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002325d-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2560	3820	2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe	99
PID 3820 wrote to memory of 2560	3820	2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe	99
PID 3820 wrote to memory of 2560	3820	2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_8c55f5c928abae7f4c9f80c7fb5ce209_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
38KB

MD5
305fc54da833d95cb7b096ee93dafe77

SHA1
6a787f6deea5de5481892975ef8f0c3dc30e224e

SHA256
36fe3e0ea31208d387070dc18f49c9a52b786262e2d9f0370a0898b4d1f33614

SHA512
27bb2d2f5cfab8cef980eac8b8b0be232573cefdde17f8cf15699039b7ef2611ce6488946290c2f7f1800f6f1d9e291dab060cc3bd8fdb3a98953e3ff04ed4d7

Download Submit
memory/2560-17-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download
memory/2560-18-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/3820-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3820-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3820-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download