Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe
-
Size
36KB
-
MD5
536e8f3632d339485ade8733fe226d73
-
SHA1
d35fec64cf966104de8fb5a31c3fc213e14d9f46
-
SHA256
ac912ee75ba81ac462da0e8e98b197027622a7349e4d7ff1e98effc3ae0a6b7b
-
SHA512
953944c158dbc605bcf16304d27101b7dcf59ce9fdc3063fd90591d16d668da3e4c38f01e317669b75641efa5a66f67cd54a9c557380c3bce78c06097a8460c4
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6lx1h+:bA74zYcgT/Ekd0ryfjPIunqpeNswm6i
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hasfj.exe CryptoLocker_rule2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 4204 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exedescription pid process target process PID 4188 wrote to memory of 4204 4188 2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe hasfj.exe PID 4188 wrote to memory of 4204 4188 2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe hasfj.exe PID 4188 wrote to memory of 4204 4188 2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_536e8f3632d339485ade8733fe226d73_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hasfj.exeFilesize
36KB
MD5b59e16e60e1ab0da5cf0a94f4128fb39
SHA17f74ebe68d179e4a875ac91c81c17092efdf0371
SHA256bd6a3edd6f9c2b5294ad36cc13e34336f4f9e6371fd83039bc4d4dea121bd182
SHA5126228e66226385a5e889f4a3f05b6cb536f3f512ce57149202dc41acd2beece1beb72c399e97859aba942540d2c0d60d6856daa33d2048789469a7d7509daf814
-
memory/4188-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/4188-1-0x0000000003150000-0x0000000003156000-memory.dmpFilesize
24KB
-
memory/4188-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmpFilesize
24KB
-
memory/4204-17-0x0000000003010000-0x0000000003016000-memory.dmpFilesize
24KB
-
memory/4204-23-0x0000000000600000-0x0000000000606000-memory.dmpFilesize
24KB