a813f6619d50857695142083925610bf5bf31e905a8f47366b19fb747c43f75a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 20:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe
Size

387KB
MD5

d38aedb789d02796234a55ec21537c8a
SHA1

5345c01f297ba6fa7c9bfa20123157dda418e98d
SHA256

a813f6619d50857695142083925610bf5bf31e905a8f47366b19fb747c43f75a
SHA512

579797b80cb239214560b8d355fe73691fb40594aedfbad519fa799a3d47ca410ee4af677a25cf41adff46c59511be2f7c49d90f816fd0bdcc387db00248b0d6
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzX1:nnOflT/ZFIjBz3xjTxynGUOUhX1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023203-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2576	384	2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe	88
PID 384 wrote to memory of 2576	384	2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe	88
PID 384 wrote to memory of 2576	384	2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_d38aedb789d02796234a55ec21537c8a_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
387KB

MD5
e85deda568fa97e0adc88da1a572b4b1

SHA1
ea5b6cd8e84bac7dc12b9fe5970f5e047819684a

SHA256
4dd60d6e4d3fd64a4161d8bb3f2f802dd714650eadaccf3d086bb83370c29645

SHA512
24d73409f2fae8ea068aa1b17fd08de63e8677db5a33baba91a6d8828a0baff60ae4612dd472cc2c72b278642fdfde97790f626ae5cf50faa706eb223f07cddc

Download Submit
memory/384-0-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/384-1-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/384-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/2576-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/2576-19-0x0000000001F90000-0x0000000001F96000-memory.dmp

Filesize
24KB

Download