8f4f227230062ffbc222514ea6104a9c6c5d93eb9f1992e787c905f400f1fe5f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe
Size

93KB
MD5

aa8b0bec1726124b62fcb3b86a83a442
SHA1

c9048a66e6ac4ec2e8d2045f89c0f673aee78de4
SHA256

8f4f227230062ffbc222514ea6104a9c6c5d93eb9f1992e787c905f400f1fe5f
SHA512

7fa105fded0861c3d5acc45209aeddd904a10f6b64ec2c083727791159dbac3a5d448d1d992e54042e299da9628bca9d3f070fdc12bfc93ad596fe9ab2bc0dff
SSDEEP

1536:vj+jsMQMOtEvwDpj5H8u8rBN6nqEZNi1OkQNpZYrsi:vCjsIOtEvwDpj5H8zPszi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4592	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 4592	2592	2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe	82
PID 2592 wrote to memory of 4592	2592	2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe	82
PID 2592 wrote to memory of 4592	2592	2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe	82

C:\Users\Admin\AppData\Local\Temp\2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_aa8b0bec1726124b62fcb3b86a83a442_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Executes dropped EXE
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
93KB

MD5
176c607403efeafd17ab3d42d1353ac4

SHA1
bc3ab9c526204358aa48349e0e3dfebd64e9eeb8

SHA256
2f4abf5d48c94aa8d49af8447822f9dc42f089e7c505729330be456fc8e17857

SHA512
924ba31e3068f72c032fa3af15ea197d500f2b9229eab72689432482df25e71543954f220ffb2060484aa3c286994522b804269d86e859e50e8899d17ae4ea28

Download Submit
memory/2592-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2592-1-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/2592-8-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4592-17-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4592-23-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download