619f0b7877210bf519eb860bc43b58efd626123063b90db95b280d1aac121bf8

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe
Size

386KB
MD5

dd31b55a229230b5ee2c0a6e43e73243
SHA1

8273cb60ed40493449041509c28578be8ede8e10
SHA256

619f0b7877210bf519eb860bc43b58efd626123063b90db95b280d1aac121bf8
SHA512

7496e61674ae5320279526823d6631a8c595881fab3033e066a914020b2ba1e28ece56c6c7f1db212cffbef804e67c3f05ad761d58efe669e37f28827384ca5c
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXx:nnOflT/ZFIjBz3xjTxynGUOUhXx

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002327d-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3880	432	2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe	98
PID 432 wrote to memory of 3880	432	2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe	98
PID 432 wrote to memory of 3880	432	2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_dd31b55a229230b5ee2c0a6e43e73243_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
386KB

MD5
0a15caa075408a5aaaeea1e2ac99f3c3

SHA1
5b49563822cd2142fe9e8273be9fb2116e5bb113

SHA256
edb47dd02b4d8472631d58ae5f6d87bd7618656e1c38ebbfbb40c14baf56e027

SHA512
e74ee8427278778a1e46ff9d3226141fdf5f3e478a8b0442ca3a4e8365526b3ae2e519e24f568af222f895af8bf74cffaafe3b60f8f75c05f73a1c16657c1894

Download Submit
memory/432-0-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/432-1-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/432-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3880-17-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download
memory/3880-18-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download