0167fba94f3bd038043e1c7ac7af9e1022ed16c4226ee8db241f27ebf085b3db

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 04:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe
Size

43KB
MD5

a6c39861b7f2dbe5b2cc2311777af3ef
SHA1

b4ad253f9d64a7b7d1a4a5179c54f7d295130375
SHA256

0167fba94f3bd038043e1c7ac7af9e1022ed16c4226ee8db241f27ebf085b3db
SHA512

7cbde46634f740c0bc46d1b4416faaa3a27446e4116a8afe1830a82e7f97010ee72c63799e077dbe2702940fe100b42d966b94deae5daf66be04a826c88b642e
SSDEEP

768:b7o/2n1TCraU6GD1a4Xcn62TUdcuQlqJ51jpPSy/:bc/y2lm6Y0AqJ51VPP/

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023196-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4932	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4932	4400	2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe	87
PID 4400 wrote to memory of 4932	4400	2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe	87
PID 4400 wrote to memory of 4932	4400	2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_a6c39861b7f2dbe5b2cc2311777af3ef_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
43KB

MD5
6f565d576699a6f357964c013c5cf9e2

SHA1
8d60d990a63156d136727bdc91f27c1ff1b63a80

SHA256
501678bc9107e8a8d2f8543cac5e81bc6a0ecaed47880bb4adb75b51715e986a

SHA512
dbf9d62c3b18d0cbc70b615dedef2309ec15b38a1c37f6f67064df71b4b5dbd0d082f98fc86757f12f0b413d8ae1a5ed90db42f7c7657bf10ce595fb07f14870

Download Submit
memory/4400-0-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/4400-1-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/4400-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4932-21-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download