90b8094e39a6ecbd8c2850d9da2ff4af03e642cfea3de4d306e0f05dbb94b320

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe
Size

26KB
MD5

ca021aba19fd97076183341082eeab24
SHA1

f84edac5ceb4d9d6d93fe1b4ce73311987d03e14
SHA256

90b8094e39a6ecbd8c2850d9da2ff4af03e642cfea3de4d306e0f05dbb94b320
SHA512

da0da377e5549a4076bbd9bb41ee14ace9d4c25684d9c2b14015f0e28fa53f8a98272a4d973234b84ce7538cdf76742d01b90077dd56e88a42574ee624c9a121
SSDEEP

384:bVCPwFRuFn65arz1ZhdaXFXSCVQTLfjDp6HMmHBdao:bVCPwFRo6CpwXFXSqQXfjAsmHBdJ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	hasfj.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4076-0-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral2/files/0x000900000002349c-13.dat	upx
behavioral2/memory/4076-18-0x0000000008000000-0x000000000800E000-memory.dmp	upx
behavioral2/memory/1460-27-0x0000000008000000-0x000000000800E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1460	4076	2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe	85
PID 4076 wrote to memory of 1460	4076	2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe	85
PID 4076 wrote to memory of 1460	4076	2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_ca021aba19fd97076183341082eeab24_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
26KB

MD5
287888098ce812e11421876d32f3cf38

SHA1
7b777bc7883df95b1e3ffa227d4d78b7a9b97769

SHA256
bc3d627184bb7c2cb52475b84ffdfef2375dcce17d84a2d3c0c1d18299e79619

SHA512
bea742b8d577bbfc07cfef3081e9607c8bf64b662211b7f8d57116190c45498cea90891c6c48afd0242fa977adec36aa8e11334088cdee5c92d972c4073e3bff

Download Submit
memory/1460-20-0x0000000002090000-0x0000000002096000-memory.dmp

Filesize
24KB

Download
memory/1460-26-0x0000000002020000-0x0000000002026000-memory.dmp

Filesize
24KB

Download
memory/1460-27-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/4076-0-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/4076-1-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/4076-2-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/4076-3-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/4076-18-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download