c20a664508176ebe3cd548bc8accd3ada30d8e0e8e48374707c3bbb2a1613fe2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe
Size

58KB
MD5

3494c087245d07fca8f6947fb7bf17dc
SHA1

de2e0673a33e955d0c62b24bee23cc11e04bdf03
SHA256

c20a664508176ebe3cd548bc8accd3ada30d8e0e8e48374707c3bbb2a1613fe2
SHA512

78867db9770b181864d813960b038adb137acd2f336bb77fab337c81bcb250855d65b6ac2a423a25f4def0e25460b47f754c42e839607fd81007756ddc9699b4
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVCbmMF:V6a+pOtEvwDpjvm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3632	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3632	4948	2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe	94
PID 4948 wrote to memory of 3632	4948	2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe	94
PID 4948 wrote to memory of 3632	4948	2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_3494c087245d07fca8f6947fb7bf17dc_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
58KB

MD5
65038a89024974ab37958a4b72bc4a8a

SHA1
1bc40535c6c25a0090b79d67230c0232bd7e14ba

SHA256
6f6e0bee785a2bb83173a64e1a2bc5d4aff9d35f025d6216c72676c6af9d8903

SHA512
1c4dfff0e5fc081d64f28723ae5061ac06a2648e75274a60e6eb5686e8c40b153d639fcecfb3e49dc92f9732921e0782a96397a4a4681bc6d34ca4a70bdf7ffb

Download Submit
memory/4948-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4948-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4948-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download