29fa391dd8145da04ebe9159ce9b6b13f9746f387b70ca28b45bf629d8d2b017

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 04:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe
Size

47KB
MD5

64b39ddf242f746391d0d8911697b297
SHA1

e9aaab1eea0bd215ebfdd5ffb079eda542f5c85a
SHA256

29fa391dd8145da04ebe9159ce9b6b13f9746f387b70ca28b45bf629d8d2b017
SHA512

bc6ad3a74b7032eca5ab22c0806cd2ed1f4b8120f19a5c5bb13a9465d87974b836e81f83a97fcead9c4d2cb799b867d8c917d29ee9d87cab376a9c8db16b864c
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr42A7n0FmB09J:vj+jsMQMOtEvwDpj5HczerLO04B6J

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e970-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e970-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4504	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 4504	2100	2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe	87
PID 2100 wrote to memory of 4504	2100	2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe	87
PID 2100 wrote to memory of 4504	2100	2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_64b39ddf242f746391d0d8911697b297_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
47KB

MD5
04175d4eb734708a7725c87e11aa92c0

SHA1
632fecb49885fba5a7c3e9b4d7c511464988997b

SHA256
849869f92769671829257bd3cb3e52f17b0bb922e52b08a0f34ea24025cf4128

SHA512
c25d4de3e8c8fca2f650440cb672ce2954bf60a961301af6bed5825a82ba2c34390831222a2cae1eee61a98bb0c3740512124c35a0fd87df50c2b51296d82626

Download Submit
memory/2100-0-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/2100-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/2100-1-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4504-17-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/4504-19-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download