ffc038fdd0b79d353509c54df515fbc8a27dea79b533fd609a0d5568e5fca5dd

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe
Size

44KB
MD5

f702e082bcc4f31b9ae0e8d256eb2cfd
SHA1

63a23ce85eea61d969136ac31b9684546fb4b2bf
SHA256

ffc038fdd0b79d353509c54df515fbc8a27dea79b533fd609a0d5568e5fca5dd
SHA512

fbf0966dea6b3dd06203f72849a38b9d96dc9ea8aaefa7f9fe58560ac9d11827c6b66b046efbfe24b5803ea7010387687f8f7017ba08f8a8af51d9aac3bf9d02
SSDEEP

384:bm74uGLLQRcsdeQ72ngEr4K7YmE8jo0nrlwfjDUIG6GUc:bm74zYcgT/Ekn0ryfji7Uc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4728	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasfj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4728	2912	2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe	92
PID 2912 wrote to memory of 4728	2912	2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe	92
PID 2912 wrote to memory of 4728	2912	2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_f702e082bcc4f31b9ae0e8d256eb2cfd_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
44KB

MD5
04c891a1dbf74195768582dcee688f0f

SHA1
413cb6af4bc3c55f7f7f04aad2ac7b73cc234890

SHA256
4987cd239aa70f449fafa7f4d959a53392855524c8783887c482e0f5aa5ddd17

SHA512
36289a852b35c48154a18566466f6bce711a81fdc050d2c30263a20bf77968cb3cbe37f0d9fd5e2c5d51c71a717e7018b2de79b44b4f925259ae82dc3cf2d3b8

Download Submit
memory/2912-0-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download
memory/2912-1-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/2912-2-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/2912-3-0x0000000002370000-0x0000000002376000-memory.dmp

Filesize
24KB

Download
memory/2912-17-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download
memory/4728-19-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download
memory/4728-20-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/4728-26-0x0000000008000000-0x000000000800D000-memory.dmp

Filesize
52KB

Download