db2ada044e5f10903e6e982e4308410932db812b260d75d1bf06f25d89a3aaef

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe
Size

38KB
MD5

148cc52cdcf7e5ae122db7a03311cdd8
SHA1

1d4bb1e50f47e21a1ed3388fec2781070a2993d7
SHA256

db2ada044e5f10903e6e982e4308410932db812b260d75d1bf06f25d89a3aaef
SHA512

365189635156583261d60aa2754996c3afdcf044de7d0423d1971bf24eecae29edc6846ffa862e2a86177f400eb1ab135698ced973bd713408cdb7ad9df0661c
SSDEEP

768:bA74zYcgT/Ekd0ryfjPIunqpeNswmT3He:bA6YcA/X6G0W143+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

4200 hasfj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4200	hasfj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe

description	pid	process	target process
PID 3916 wrote to memory of 4200	3916	20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe	hasfj.exe
PID 3916 wrote to memory of 4200	3916	20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe	hasfj.exe
PID 3916 wrote to memory of 4200	3916	20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\20240521148cc52cdcf7e5ae122db7a03311cdd8cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
38KB

MD5
d70675a963e8b97afb8c289b9889aea8

SHA1
1e86d5045a159c2742293f2f8a9fb673c9f7417e

SHA256
4f776a8f54b04d066d1572e68b918816aeac09bf975de04cd98baf79c4ba3228

SHA512
4041f22cfb34d4cec708a66e5a1eb8170217d65a5208d5f49b1eb0922a735263a26a00840140cc156e77a5913433b83ab24b41dbd405abf0eea2a5ab9609b7ff

Download Submit
memory/3916-0-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/3916-1-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/3916-8-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/4200-17-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/4200-18-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download