e9fbe1ee7b802852d2c9ab5e5c3c21c2b5ddad13cd0b8a50f2f0ec06ff016fd9

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe
Size

35KB
MD5

f5989027376ebd0fa30436c1c7813014
SHA1

51f61ce099532539480009887dea1c5129d94efe
SHA256

e9fbe1ee7b802852d2c9ab5e5c3c21c2b5ddad13cd0b8a50f2f0ec06ff016fd9
SHA512

78af28edfec2c3535857d794a0e63d82db3102d62cefc87a28058fa61803fd6b0d7c4f9944b4ce5d3b2cb38177a698df26a86735944d3e330224a4486521c213
SSDEEP

384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUqMV6U8zKvGaLi3n:bA74zYcgT/Ekd0ryfj86U8zbbn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e59e-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1368	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1368	5076	2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe	88
PID 5076 wrote to memory of 1368	5076	2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe	88
PID 5076 wrote to memory of 1368	5076	2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_f5989027376ebd0fa30436c1c7813014_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
35KB

MD5
0258e1998677b92e18ce05856c8022b4

SHA1
b329822c5efe32db8471a76941da801871b93ee4

SHA256
d4dd6e1a47b73fcde20a8c93cb05a966d4becf3d16d9dca6e71c932c04a03bbc

SHA512
f7464eace9312f7e9e4a2fa96d15d4dc70e60e8be32ce193451deb75848d0247b831d39c0b0729e5c94dab68bee97e677449b92bbeb313e3c2b6d08539666316

Download Submit
memory/1368-17-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/1368-18-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/5076-0-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/5076-1-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/5076-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download