15c08bfc517bcf5d8fe5e801504e1edf1da893c8b76dc8aa25c3bfb39d542eac

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe
Size

78KB
MD5

aa01992c752cd5389bbf54168aa9537b
SHA1

facffa8a3c6b20e54258fd7fd1e4cd8decac887b
SHA256

15c08bfc517bcf5d8fe5e801504e1edf1da893c8b76dc8aa25c3bfb39d542eac
SHA512

fee7a5da10cf23599cc63a8f537545e17c0b30f353f72c7e69f06701dc6de14b6c4d8de5070ef33d57362c3bade8ec09ff38b3e83b8827d25a3cc7a9666c2647
SSDEEP

1536:ZzFbxmLPWQMOtEvwDpj386Sj/WprgJN6tZdOyJ3KEWTPP:ZVxkGOtEvwDpjcaxK

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002325a-13.dat	CryptoLocker_rule2
behavioral2/files/0x000700000002325a-16.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
920	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 920	3592	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	100
PID 3592 wrote to memory of 920	3592	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	100
PID 3592 wrote to memory of 920	3592	2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_aa01992c752cd5389bbf54168aa9537b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
78KB

MD5
12bbb0ef2234d35dc8289df832f66730

SHA1
70b67f2c26295688b24c3012c886b94411cd99ce

SHA256
9c4e448209c504fc6cc22ce190edf214b1c45a746d289e6ae808a8d9e5e2ae67

SHA512
c99902a77d8f5014ef1e8da64ce16e0e9c39737c7bc1e59f946a64daff4a132b54a69cb3954ed86eca892f5004ffa03453ddfbdc709d395f84dcbf54e83700dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
19KB

MD5
6d43bffeeee2c318a31fbe79c78f831f

SHA1
d77cafb4dd4b12f03b4afdfa1befed3848b43ab6

SHA256
658ae1bf624830c34a17fa8b6a6810823f609b271a36c35f3769e42c019d171b

SHA512
975a8c23c395a3569620550ba30dbafc62cc1bc6bd9b67f33e1e45d4643a9c559b0cd71d96f50d28e9a702f8d2b90d5bff9c2dff0013bffa3d024ab90c3db38e

Download Submit
memory/920-17-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download
memory/920-20-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/920-22-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3592-0-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download
memory/3592-1-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/3592-2-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/3592-3-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/3592-19-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download