de3d327a33a609c8cf861afab6568240ef32570a1bf25f8989feec21e12f8ad6

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 07:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe
Size

34KB
MD5

de7bd72d702a4a8dbd2b9836a129258e
SHA1

5dff0ed85da349347ac4d96bc5310294a6d77edc
SHA256

de3d327a33a609c8cf861afab6568240ef32570a1bf25f8989feec21e12f8ad6
SHA512

bb66666b94c24b85f1856a07b364905e10df770627872e6c4950bc581140b9c3a71c5a9ad56bf3e01236d41d5f56d6e546a38ebc6ff23d759be737499c8e2267
SSDEEP

768:fTz7y3lhsT+hs1SQtOOtEvwDpjfAu9+4A:fT+hsMQMOtEvwDpjoIHA

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000f00000002314e-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000f00000002314e-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
3892	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3892	1452	2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe	85
PID 1452 wrote to memory of 3892	1452	2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe	85
PID 1452 wrote to memory of 3892	1452	2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_de7bd72d702a4a8dbd2b9836a129258e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
34KB

MD5
8e1c5d9348b60a139ce2bc845e53bc1b

SHA1
1dbb7da09f329ddc7370cb81674fa69f60532cfa

SHA256
1abdbfc7b301437328d2713fd483e45a1c1b9d229d46cd5703afc8859ce1d20e

SHA512
eaf2176cc8be2f058e1eadf12f11e6b0063e2d8e9e0c1203163917ab15f9cd813d317e25b4ea64112f8bcfcef674e585121ccc5fd183ca3a840e13c89aef96bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\misids.exe

Filesize
1KB

MD5
2afd03bdd9215b93910c1c0c862cd3e9

SHA1
325df3c4218510c928430e37a00547e2f778bdc8

SHA256
b78eb6335e795cae3c99ef6686d9f1ee234f96f76375b496ba7c95384f496203

SHA512
faf7e3b228673b41c93eab52fe78413565de78965fc8f07f817abec72f3ee4e474f1809e10344a23c1b51153cbe1bd0c3c4bf387b223f5f7143d25e09e221f14

Download Submit
memory/1452-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1452-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1452-2-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/3892-17-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/3892-19-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download