794275ac9e62aafa016e2c26c602a316c995d143012f8978ee45b3881a43a0a5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe
Size

43KB
MD5

62751f7457b3b4b2987731e5fd683963
SHA1

8f44f46c8b27ef3f92de0617ebd9aaa337d1fd45
SHA256

794275ac9e62aafa016e2c26c602a316c995d143012f8978ee45b3881a43a0a5
SHA512

24bb2760121fd6885cbb6ba66a4e2343a6e6cd9390a885e8bb80a6bcfdd44dd8a8b81f5302c67e42ff0104acf2f395cea7c18be6a6576a822fdd5c7651075a86
SSDEEP

768:XS5nQJ24LR1bytOOtEvwDpj66BLbjG9Rva/yYshNh9:i5nkFGMOtEvwDpjR+viHshNr

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/2972-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4560-18-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000c000000023370-17.dat	CryptoLocker_rule2
behavioral2/memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4560-49-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/2972-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4560-18-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4560-49-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Detects executables built or packed with MPress PE compressor 5 IoCs

resource	yara_rule
behavioral2/memory/2972-0-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4560-18-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c000000023370-17.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4560-49-0x0000000000500000-0x000000000050F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

pid	Process
4560	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4560	2972	2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe	81
PID 2972 wrote to memory of 4560	2972	2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe	81
PID 2972 wrote to memory of 4560	2972	2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe	81

C:\Users\Admin\AppData\Local\Temp\2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_62751f7457b3b4b2987731e5fd683963_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
43KB

MD5
d5bd6619eb6c4e14614edf2ced1d1528

SHA1
0ad96781f6b10d4a8746779395e3a1700a80001c

SHA256
9fd0f565ae7d4ff545467f519a10334603b4686e8b42d2564143afa00860a1a4

SHA512
6d19bc15fa322f0861315c3952c8bbe25c5bd37f3dc686361c549f17fc3e862dc1659a6ff8a1f46e51e250ab5157e54eba0a224a81c07862d72ff255f0bfe466

Download Submit
C:\Users\Admin\AppData\Local\Temp\misids.exe

Filesize
315B

MD5
a34ac19f4afae63adc5d2f7bc970c07f

SHA1
a82190fc530c265aa40a045c21770d967f4767b8

SHA256
d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

SHA512
42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

Download Submit
memory/2972-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2972-1-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2972-3-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/2972-2-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2972-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4560-20-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/4560-26-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/4560-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4560-49-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download