7ba431c2a92383cb16c75b6f37bdf7b0a2093b6fe98a9ceb3e3aa071ba80fb98

Analysis

max time kernel
155s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe
Size

50KB
MD5

22a8c8f3c14998c54845e008dd75461b
SHA1

36a29244e9a5947f9c3a5c3c91be5df7fdde49fa
SHA256

7ba431c2a92383cb16c75b6f37bdf7b0a2093b6fe98a9ceb3e3aa071ba80fb98
SHA512

f0cb3ecb8e78c156c600392f637fa592421a6093214bcc62d787fea8f52147401b6ce95a2da09d62241ef2ecb6a53a1a3800bda26b1c2a5152889cb6453261a1
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vaTiSfQad:X6QFElP6n+gJBMOtEvwDpjBtE1yd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3228	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 3228	1244	2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe	92
PID 1244 wrote to memory of 3228	1244	2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe	92
PID 1244 wrote to memory of 3228	1244	2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_22a8c8f3c14998c54845e008dd75461b_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
50KB

MD5
32afeac64e28c7ba7ce82f805c429792

SHA1
d194a2bfb9a3c663fa7e5a7d54c60eb58ed133ba

SHA256
d796453033ce67be00e3ae29beef0c41cff36b4ff9c24686db5bb2a0a2fb86b5

SHA512
0e7953838b509f2e290636bf669873700ad7f4d47526e626800f403f4285bd29bf6adc3898cd96f6d1701449d0d1d8dfb45575d5eb920976b0073341ab438001

Download Submit
memory/1244-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1244-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/1244-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/3228-17-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/3228-18-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download