efab791d63e257b2356ae87e3aa982b2aa9f13ffa664c777918f57a06f67432d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe
Size

50KB
MD5

f495f23742f5a1c03b8545c2259e3bd4
SHA1

1eeae450f0fe74cea3572b1cbb754929d61c7669
SHA256

efab791d63e257b2356ae87e3aa982b2aa9f13ffa664c777918f57a06f67432d
SHA512

0d02804149d29657a93eb6377645c27209ef37825f7c0063f5f53a13aeec09c6e7b10f802a8a8c7f943e855fb48a9e0b67d3971be8b4fe667db13e237ebd4286
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/rJ+Nw8qn8pKIRsI:79mqyNhQMOtEvwDpjBxe8TpXRD

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 3 IoCs

resource	yara_rule
behavioral2/memory/1984-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x0007000000023206-13.dat	CryptoLocker_rule2
behavioral2/memory/1984-18-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral2/memory/1984-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x0007000000023206-13.dat	CryptoLocker_set1
behavioral2/memory/1984-18-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 4476	1984	2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe	88
PID 1984 wrote to memory of 4476	1984	2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe	88
PID 1984 wrote to memory of 4476	1984	2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_f495f23742f5a1c03b8545c2259e3bd4_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
50KB

MD5
78ee513a07b6094fa7f89674ecd25b43

SHA1
3a889ad13525b02570534bb96c1e2421aa00a298

SHA256
ee1645a1abf5673180fe5b281605a604ae627ef2a6d405940d6612c726e33ba6

SHA512
5d00982d415c7b2e19e517c854fe6002cee7c87d6744da844f7af89b56bfcec1e7fc65c8b90d88c756eb5f2dcb2d2456f3ea853adb3f434696212d714ce911fd

Download Submit
memory/1984-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1984-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1984-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1984-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1984-18-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/4476-19-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4476-21-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download