4ce612054209b876774d9ca379c1284e62eeb1284ec369f138ebd702af197387

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe
Size

389KB
MD5

6926454de1817d8e32a9753f2b27ed12
SHA1

2f054b2ebc03b7a23a1b415116c7ee7077380d06
SHA256

4ce612054209b876774d9ca379c1284e62eeb1284ec369f138ebd702af197387
SHA512

eda5f4fc2fb2fb50f3de645905f5ff08f89e2d5d1b8495016a73791be269af281f44ea9e38825f8010fc54b3eea727adc2f6f04080c3810d714d6c3b8e9470ba
SSDEEP

6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXn:nnOflT/ZFIjBz3xjTxynGUOUhXn

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e97c-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3176	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3176	2408	2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe	86
PID 2408 wrote to memory of 3176	2408	2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe	86
PID 2408 wrote to memory of 3176	2408	2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_6926454de1817d8e32a9753f2b27ed12_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
389KB

MD5
743c335d964664e1d55e0c4dd002289a

SHA1
3ef22817d7b269f69fa9762cb2ce9cf251f91542

SHA256
f4f22e57451f50a5a112ad4077037d706bc4e1a14008573daf7e8f2bc518cd69

SHA512
d2306a5532ab5001aaed04dbac0f3b6c9f31e02ef17e51ea8e0cbdd7ef053e8b75f82d57350e89debf8f4a9e63b91ed5f071e030fa86713e883226ee6e20d12b

Download Submit
memory/2408-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/2408-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/2408-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3176-17-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/3176-19-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download