Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 23:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe
-
Size
50KB
-
MD5
e039ee30a2ee52be561a0a3d113fedd4
-
SHA1
5444803e576e2ee3a406f04ba8622df03b3b4108
-
SHA256
b1c86618cfb19e1e66bc8385c630d3a44d4f913b2755cc4bfa60628e01b7af63
-
SHA512
84c0049805579635b988ef5c971fcb834152029233ff7cacbb7095a351de7dc24c7913afaaeae9f9be0178b3e614de047e6f598dd524f52681b1074438cd9bba
-
SSDEEP
768:bgX4zYcgTEu6QOaryfjqDlC6JFbK37Yl6dIKld5CSOy:bgGYcA/53GAA6y37Q6dI+d51
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000400000002271f-12.dat CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 4744 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 224 wrote to memory of 4744 224 2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe 97 PID 224 wrote to memory of 4744 224 2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe 97 PID 224 wrote to memory of 4744 224 2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-15_e039ee30a2ee52be561a0a3d113fedd4_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3876 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD53e6641d2b16bd2bd048779125037d2bd
SHA19d35b8594b5bcceb7d0fdbc08cc20fc7991445f8
SHA2562600e1556cb0ebfcf260ad8f59c7df5ee2e76f616aa700a6609076aae709299b
SHA512341951480378fb61a2ad9312cb12ca62d84af8a2635190d89210f9a9dd728d5323a0184e4716900823cbcaac481b30c7a6672a15a76e3cbfdba26f2dd76bd170