25f03954b87228e7b16a9853b9e7a52f4272ea74f326acac0bdcd4bf4a913509

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe
Size

38KB
MD5

1cbc21db19a802eef16df4179b7ed61c
SHA1

133d6b0bdf11908c2e5fe64cd1ef43c7d363b880
SHA256

25f03954b87228e7b16a9853b9e7a52f4272ea74f326acac0bdcd4bf4a913509
SHA512

85c9013f1cdb5260d839a667af024ebbb004867a0a4f99b45221eef6bc1ad41e254043c4f213b36f10cbb0ef540eaebfcaea42c402f871a7e03ebdb4cbe6e7e0
SSDEEP

768:b7o/2n1TCraU6GD1a4Xt9bRU6zA6o36mhz:bc/y2lLRU6zA6qV

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023404-12.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	rewok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4512	2012	2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe	83
PID 2012 wrote to memory of 4512	2012	2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe	83
PID 2012 wrote to memory of 4512	2012	2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cbc21db19a802eef16df4179b7ed61c_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\rewok.exe
  "C:\Users\Admin\AppData\Local\Temp\rewok.exe"
  2⤵
  - Executes dropped EXE
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rewok.exe

Filesize
38KB

MD5
fc8278acdbd5d8ccc951cc4e809b990a

SHA1
516e5970a9e85b12ce9e7bc216adca137fd0cd1b

SHA256
8077fba440b9f76fcaffa220a0f0545736889ce137a63aa083f930043dd70d88

SHA512
38e77890045c64490ce75e3f2d650b3f480bd7a31fd159766713a61a75d3da16e06613cca315081cc6c3837e98d6a4fcd12afa0d3d4190f872c27bb4debf00ee

Download Submit
memory/2012-0-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/2012-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2012-8-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4512-25-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download