a6e5e588a522288590704cd2ebb6cfc652a6dcfdc7711e6137c0a497adb4e816

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe
Size

71KB
MD5

d6f22aaa32809e48d3052cad0c2a7951
SHA1

92d3a70134d39e746838b63a042389cfc9f8ea60
SHA256

a6e5e588a522288590704cd2ebb6cfc652a6dcfdc7711e6137c0a497adb4e816
SHA512

da7fa646fbc938f6a2d81802d655f3af08fe872ee36f9e6441418ebdd0f08c67a4049be549f529fdab9f2de04e8bd8b7fb7f8e8703cd4aacb01f1e3d99605130
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4ZPsED3VK2+ZtyOjgO4r9vFAg2rq2g1B/R+:vj+jsMQMOtEvwDpj5HZYTjipvF24c5

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

4452 misid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4452	misid.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe

description	pid	process	target process
PID 4828 wrote to memory of 4452	4828	2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe	misid.exe
PID 4828 wrote to memory of 4452	4828	2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe	misid.exe
PID 4828 wrote to memory of 4452	4828	2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_d6f22aaa32809e48d3052cad0c2a7951_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Executes dropped EXE
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe
Filesize
72KB

MD5
88bbe440980759578e1775a603c4125c

SHA1
5a6dc2d1de6925a076596a6fd7bc2a4136cc4f4e

SHA256
e9c3f85a95fa3eff33decf027212498ca925064295fc5d4d3d0c22972a906d36

SHA512
066efab52c483301ecc2e7e5885d8687facd35319818b5426fad200133a5b057a4154f8786f15b3d530528b95385f1e18d448c6a32581c8c727b7204db31f310

Download Submit
memory/4452-17-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4452-23-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4828-1-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4828-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4828-8-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download