bdd00581bebb6599cf3c445b9b8eeadd793a17f3fe3189437f2f3e75874f9b80

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe
Size

49KB
MD5

ff4735cdb488d3cb6135eb4744c6b335
SHA1

41f7b29c71506865193a802979a67d02ce0cc510
SHA256

bdd00581bebb6599cf3c445b9b8eeadd793a17f3fe3189437f2f3e75874f9b80
SHA512

0161f2770f4cb2b394c37f72e52a582174751ccb026ae4c111ad179631938f69dfd12276b4fe2cafb698e44c8ae437718df7b6639639def0ea02bcde118b2d6f
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr46xdUUuuMT8l/:vj+jsMQMOtEvwDpj5Hczer5ixuMC/

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023205-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023205-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
216	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 216	3384	2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe	88
PID 3384 wrote to memory of 216	3384	2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe	88
PID 3384 wrote to memory of 216	3384	2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_ff4735cdb488d3cb6135eb4744c6b335_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
50KB

MD5
de59af2cc754221b3703a7a1cce0adea

SHA1
33dff404979dfb41a3bc620e5db8a92d992db3bc

SHA256
83ef0638263a4fe801880861272f8c9476bfcae0c23925e87b09e114a8779f77

SHA512
55173d2067410e950ab1538dd02a52110d59f1d891c902418791072f85bef6ac7db4bd39cdd57a9aa3ad7893adf81a6b9c7518a9f7ed70161f6d3e5b34608d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\misids.exe

Filesize
1KB

MD5
a144c000abda4c84f46a84fdfb5a9dbb

SHA1
08b5665707bca02e211210918f0f323cde544c4c

SHA256
93f288fcf40fbe1bb2da7861f2745ebdb3ba3c6b6c5f200ddad06ef4c775b247

SHA512
d8709c2d3a154b2afbcd878f5f69b6fdbc22445174685f7baa69f1f994620b0e0f1727a874facc17c268ff0e5f54829203b1600b85e9bcadbedd84ed7ac0aa99

Download Submit
memory/216-17-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/216-21-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3384-0-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/3384-1-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/3384-2-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download