Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:37
Behavioral task
behavioral1
Sample
2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe
-
Size
127KB
-
MD5
c63278ccf6007fe8d6613a54e79a6763
-
SHA1
33767068f2d591f7ef68a481027d35a7014c20a0
-
SHA256
c91f106a83fc6875e31848d47571d93c8a9a16bb6199070a3da7fb46b5fcac35
-
SHA512
a94bb7b6236bcdf22a972c018896a9bbf38995d097af49754633ba3c79405e747fcacdc3fbb028fb6bd1bf785aad416d392736fa0d5eec324f7dfdea80e23bcc
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1e8:AnBdOOtEvwDpj6zy
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 behavioral2/memory/1272-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/memory/5100-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 behavioral2/memory/1272-17-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/memory/5100-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-0-0x0000000000500000-0x000000000050F000-memory.dmp UPX C:\Users\Admin\AppData\Local\Temp\asih.exe UPX behavioral2/memory/1272-17-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral2/memory/5100-26-0x0000000000500000-0x000000000050F000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 5100 asih.exe -
Processes:
resource yara_rule behavioral2/memory/1272-0-0x0000000000500000-0x000000000050F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\asih.exe upx behavioral2/memory/1272-17-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/5100-26-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exedescription pid process target process PID 1272 wrote to memory of 5100 1272 2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe asih.exe PID 1272 wrote to memory of 5100 1272 2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe asih.exe PID 1272 wrote to memory of 5100 1272 2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c63278ccf6007fe8d6613a54e79a6763_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD586b4e7101c7bebbb49fa94a21bbeb153
SHA1487ac84022331facf81b4146c7c9d712a4378edc
SHA256136bed78ce6d6c58354738b4d6a9d526d45c189b7ce78db464fa4fd43f53e324
SHA5125587158d9c3829c4e394a65734e01ee1121151c61a7dee4e136457a3740e9294b7d19c8ddba34d67f59f1a020e840e885f3f9fe9a6f049142d236993385b392a