Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe
-
Size
149KB
-
MD5
87bb9ee9bd5499eab2cc19547b2f2005
-
SHA1
187dc92794fcbc421fa8a22cef9b69a4dbbcc448
-
SHA256
96622bdbe5036a822168712a019f8ff2a29811f1496445eaa78a2d4e534879c3
-
SHA512
49413a6c80ff7b596757caa443b5cd901afea63c36e9c13bbe32d859ae27ba5328ad025192866ad46418afc58d00b613df167fc4c138990966a360cb5fd795f0
-
SSDEEP
1536:V6QFElP6n+gMQMOtEvwDpjQGYQbxGYQbxGYQbPlooHPPFYr7:V6a+pOtEvwDpjt22S
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 4848 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exedescription pid process target process PID 2364 wrote to memory of 4848 2364 2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe asih.exe PID 2364 wrote to memory of 4848 2364 2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe asih.exe PID 2364 wrote to memory of 4848 2364 2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_87bb9ee9bd5499eab2cc19547b2f2005_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\asih.exeFilesize
149KB
MD5d9aff12dcd35199a717c87602e2b0115
SHA13b8998664a32c229e020338cec362507241ddf75
SHA256f49f269a53da127b51bbda1499d0122747011e8b76969468ad7d463455deb2ae
SHA5121b07043b098b8951aa46ecb506de6f97c4e39a92dd101ce42e86733a1f032760b9dbe413011af533a78d2b9f95a97db24d1aa354cd6cf0d9437c4e3ddde3f2c8
-
memory/2364-0-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/2364-1-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/2364-2-0x0000000000710000-0x0000000000716000-memory.dmpFilesize
24KB
-
memory/4848-17-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB
-
memory/4848-19-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB