c4f3e726e8d4d93194f547472de2baee97f1dcc8916fb0c41c528f1c51238091

Analysis

max time kernel
3s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe
Size

34KB
MD5

e0e8e5fde6baab112b4345cf030bb877
SHA1

76311e1e928c0bae54d9a6841ae2109298ee1271
SHA256

c4f3e726e8d4d93194f547472de2baee97f1dcc8916fb0c41c528f1c51238091
SHA512

e020315d821a8a613b52677606d1674330246899e8f157979c39c2d81df1c8073ca21867f561240f51eeb680f7f2ad63ba305d5acce4845caa266579b41ce349
SSDEEP

768:bxNQIE0eBhkL2Fo1CCwgfjOg9Arbkzos5Pp7h:bxNrC7kYo1Fxf2rY1V

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023435-15.dat	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	pissa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4796	1276	2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe	82
PID 1276 wrote to memory of 4796	1276	2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe	82
PID 1276 wrote to memory of 4796	1276	2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e0e8e5fde6baab112b4345cf030bb877_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\pissa.exe
  "C:\Users\Admin\AppData\Local\Temp\pissa.exe"
  2⤵
  - Executes dropped EXE
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pissa.exe

Filesize
34KB

MD5
ddfec3cc63159402498affcf94131d6e

SHA1
f436a4b43201310e5ccd651a7e465e60e69e806e

SHA256
3380c48c44f6680d43451a4981061395d6b4849cdd2efcb88add4dc8edb845cf

SHA512
b8e8d6b208a42b06aa026f3a390a81963b63c9c1369831a515a0ece9f6d440bbade9cd1c015f85d68c8a684fcb04f51e6e1d2fede6043c18d0cf4140e307556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pissec.exe

Filesize
261B

MD5
11bed1c06d8f4680de5154405be20365

SHA1
9c3095f1aa0b02924c23592d1e86673bb0081ca1

SHA256
bcc0582f122db6e61d2aa06628275f5b882c01ca037699427d0f68e48d744666

SHA512
050bb38ff33ab7e8e8aa647cffb26d2b0a54074340e79f0acf0db8f076c421505f1e4c1ce169d55aeacd4085ce258a78d24327c9393650642963beb130517da8

Download Submit
memory/1276-2-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/1276-1-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/1276-0-0x0000000002160000-0x0000000002166000-memory.dmp

Filesize
24KB

Download
memory/4796-23-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download