Analysis

  • max time kernel
    114s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 17:56

General

  • Target

    2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe

  • Size

    64KB

  • MD5

    bfb12bc505ca7736641758ac7b36758b

  • SHA1

    40386403a0552097580e60ceb22506c92d24d65e

  • SHA256

    12dd746c4fb22315953508e7e85a0702c088607682e8da266f41379dc7d46e71

  • SHA512

    72e8dc462484cc7579a573148c0eeb837fae61d89883ed5bb796b0d51c429e5cdd3c579db04aea3984194e7bfbb286a82cd3e09375723ad5fa9b29509b511df3

  • SSDEEP

    768:6Qz7yVEhs9+4OR7tOOtEvwDpjLHqPOYRmNxt5I52kGEMpf:6j+1NMOtEvwDpjr8ox8UDEI

Score
9/10

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • Detects executables built or packed with MPress PE compressor 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-29_bfb12bc505ca7736641758ac7b36758b_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\misid.exe
      "C:\Users\Admin\AppData\Local\Temp\misid.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system certificate store
      PID:4128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4484 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\misid.exe

      Filesize

      64KB

      MD5

      d6669ac16d0906a3749e3f9579686295

      SHA1

      ad46c28f2ab888c806b39f3c215b74b24a9e61e2

      SHA256

      dd7082697e9f668608062fe6a2f57340899afef87d1003134659974f309afb49

      SHA512

      4e7651402ef1a48a173e12bacbdbe3e91d6ad804b4ff64f11c67cacb818403b7f8d7f4971b5aee6ef7cacff7a848130a064ad3810606b30747059bfd86efe487

    • C:\Users\Admin\AppData\Local\Temp\misids.exe

      Filesize

      315B

      MD5

      a34ac19f4afae63adc5d2f7bc970c07f

      SHA1

      a82190fc530c265aa40a045c21770d967f4767b8

      SHA256

      d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

      SHA512

      42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

    • memory/1412-0-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB

    • memory/1412-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

    • memory/1412-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

      Filesize

      24KB

    • memory/1412-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

      Filesize

      24KB

    • memory/1412-17-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB

    • memory/4128-19-0x0000000002080000-0x0000000002086000-memory.dmp

      Filesize

      24KB

    • memory/4128-21-0x0000000000520000-0x0000000000526000-memory.dmp

      Filesize

      24KB

    • memory/4128-48-0x0000000000500000-0x000000000050F000-memory.dmp

      Filesize

      60KB