ee1fadc7ae2d4c45d37563153946b13347e8c15ac5eb4d646f8b0749031cd875

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe
Size

37KB
MD5

cb8b68854fd98073d516637e64073ca7
SHA1

1789d8ae681128729a2fce8e2202972e46595553
SHA256

ee1fadc7ae2d4c45d37563153946b13347e8c15ac5eb4d646f8b0749031cd875
SHA512

e5095e35444da4ae83ef78022d471c4e3e575896514e8e3f7be0631f537f412baebc7c1de870602b5196fa7ef81281a4f7e2aad56b80327eb5be38bee161a2fe
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/UkRYzrm:vj+jsMQMOtEvwDpj5HcSY/m

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00050000000224ff-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x00050000000224ff-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1588	3588	2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe	88
PID 3588 wrote to memory of 1588	3588	2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe	88
PID 3588 wrote to memory of 1588	3588	2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_cb8b68854fd98073d516637e64073ca7_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
37KB

MD5
053d3c2ee6863a627bf2db0fb24a23dd

SHA1
6aa65e005eb7bebc090c933c804dd53ee6a2ac04

SHA256
2774192c0614ddbe3ff76abb01f5d635f338403348a7a5bf2ef764f4dd74c08f

SHA512
57389404d653d84fcfa529fc4bbdb0c674c03e9f0282fae6eaeec74201013453c8cfe6594c9e5176b46ea85e7fdc6724b619f0a721fa7af3b21403c14da807f5

Download Submit
memory/1588-17-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1588-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3588-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3588-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3588-2-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download