7757ceaa8c8454f20b4a8e97f852471ec21ea16c1382384787074e1f4f5dce44

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe
Size

34KB
MD5

a22c5c01ce0f6c110e6e57d12beb24d1
SHA1

77be097b30eda3c4c1fdbad318f558ddf376c73e
SHA256

7757ceaa8c8454f20b4a8e97f852471ec21ea16c1382384787074e1f4f5dce44
SHA512

e42acb107ed02eb0b0990a0dd1269c917c815cded3b604fb6cfff2ddbc0126c66064b9c21c269146e1c6a1b394344bc76a38b2ee9b3a8935f06c9afc70751b39
SSDEEP

384:bG74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUGTGOFj:bG74zYcgT/Ekd0ryfj7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4336	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hasfj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 4336	1444	2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe	86
PID 1444 wrote to memory of 4336	1444	2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe	86
PID 1444 wrote to memory of 4336	1444	2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_a22c5c01ce0f6c110e6e57d12beb24d1_cryptolocker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
34KB

MD5
e680334bded04b855126b35f351a85ff

SHA1
ff0a5b904a81b7539b7c21c52037dccb630ee186

SHA256
f75d4311cdde4dca9caebce133fae076b2b65b88430db581c300b473438d0286

SHA512
75db473b23beb3f2527fd0d3482acbe6c5bbac9307c8a29e38633e40d0dcb83fb19a1948b83ab04c3a4265e1ab57ac6a185ea4b6ff3404db82bf957845838508

Download Submit
memory/1444-0-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/1444-1-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1444-2-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1444-3-0x0000000003140000-0x0000000003146000-memory.dmp

Filesize
24KB

Download
memory/1444-17-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download
memory/4336-25-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/4336-19-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download
memory/4336-26-0x0000000008000000-0x000000000800A000-memory.dmp

Filesize
40KB

Download