8b9797bdcf50ea4dd3c6efcb5da44bcc2d68d803b350adbc0159dda9dc142709

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe
Size

44KB
MD5

1f1a7590299777b1962e31d7dba1054a
SHA1

5ae74957fbdd5e1d5c14365ba649c87db7303f60
SHA256

8b9797bdcf50ea4dd3c6efcb5da44bcc2d68d803b350adbc0159dda9dc142709
SHA512

5fdc726b0ed43e86803e2d8c393f1cbc9bbd30dc1ac428fc1e9d6558db61d3bc93386a12e72b1a5a035d40d9c65143699aa134fcbc53f37d9443380a454bd93c
SSDEEP

768:b7o/2n1TCraU6GD1a4X0WcO+wMVm+slAMphqu:bc/y2lkF0+Bequ

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023297-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2828	2876	2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe	83
PID 2876 wrote to memory of 2828	2876	2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe	83
PID 2876 wrote to memory of 2828	2876	2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_1f1a7590299777b1962e31d7dba1054a_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
44KB

MD5
1fa5d22e4b805cc7588fdb5982679295

SHA1
5aa283a82cc6e95c5473b21840fda6cef076d036

SHA256
5a240e08ee7fa18181027dec19d82e77cb49456eaca4d3e5c63646180765f17c

SHA512
6d7f4f42acdbbb19d68b1dbf23aaf5faa0a7d495ec1f8d420060f23eeb5d825f7f0bb146e49819afbd1c3e19ee435b8ebc0cec1866e22e94a87dbad5449169f2

Download Submit
memory/2828-25-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/2876-0-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download
memory/2876-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2876-8-0x00000000006F0000-0x00000000006F6000-memory.dmp

Filesize
24KB

Download