53af059c59627e7be8f79b6ca33dfb04d40ba6ca57cb3012babd9a2c0523cef9

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe
Size

37KB
MD5

4ac6324da084e61c16f3f97265ffd829
SHA1

93010d95f74fad35061208cd97b308fcf72d75ab
SHA256

53af059c59627e7be8f79b6ca33dfb04d40ba6ca57cb3012babd9a2c0523cef9
SHA512

8ee8ae514527bf5ba878fa3dfe920fde98b027d1bf3f16fa11ad6cbeefba8c61ad45ce96a806d74df437eba3129e52c03c1d3c98361d53011077dd73cfd98314
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFCpUu:X6QFElP6n+gJQMOtEvwDpjBmzDUpJ

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320f-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320f-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
800	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 800	2764	2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe	87
PID 2764 wrote to memory of 800	2764	2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe	87
PID 2764 wrote to memory of 800	2764	2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_4ac6324da084e61c16f3f97265ffd829_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
37KB

MD5
4093af9f14f81bad824903e1246c292f

SHA1
21c3df03c70f740d015955405d614398cb20a766

SHA256
4372f4cd6abd4788c017d15b9583acabebd8346f4670295b0fb99c4e213855a4

SHA512
bfa0305f3850acc79b108f293b4edb377232da20d7ea19733d55cd6ae808507aeae73011f0aab3b2d8f88b095bb39e40886f5e949a192e78e84ee1ee8c833d2a

Download Submit
memory/800-18-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/800-17-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/2764-0-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2764-1-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2764-2-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download