c7a4f0b0bb53bd1536efb7dae22a9c84e256570bab96990d07f78f8f7a3dd8e3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe
Size

41KB
MD5

8bccfa3261b9cbe5068ab36e23d5b79b
SHA1

3495c6d9134e14871844016435705aeacf206e9c
SHA256

c7a4f0b0bb53bd1536efb7dae22a9c84e256570bab96990d07f78f8f7a3dd8e3
SHA512

6adca9b7b09795d13fe2909d598c543bf1d7087d3950a835b9c0a6aa288cb3b63e417da29fd4713b4a0c3eee0c9a076e49f0c499a4fa51ce79cc8b5219b53c59
SSDEEP

768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8lB4dCOBy/cTfS:ZzFbxmLPWQMOtEvwDpj38lD/cTfS

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000001e97e-13.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 1292	4388	2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe	85
PID 4388 wrote to memory of 1292	4388	2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe	85
PID 4388 wrote to memory of 1292	4388	2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_8bccfa3261b9cbe5068ab36e23d5b79b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
41KB

MD5
c3b726e0ca9b5c8df459094c2bbc6549

SHA1
ed2f9787520c039d12e82bbdc7d8b50cb2e1074a

SHA256
1b7a822f69f4af48ce67863baef1fd5faa76a92a06a622c6fe5ba197754b8410

SHA512
ae93b2f57bf940f923f5a7c60780c07e74c05cb1993f952a316860f87942b57dc5bd6bfec51a2c456450ad3ee8a6318dc26cc47d5cbd926ea07dc78a85c28fc2

Download Submit
memory/1292-19-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/1292-23-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/4388-0-0x00000000004D0000-0x00000000004D3000-memory.dmp

Filesize
12KB

Download
memory/4388-1-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4388-2-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4388-3-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/4388-17-0x00000000004D0000-0x00000000004D3000-memory.dmp

Filesize
12KB

Download