faef9b88fda0ff84c05450e4a1f2c4fb8fd4750f00bc2e719af250c291de66c7

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe
Size

100KB
MD5

c151f954b50893422b804422f279c0a8
SHA1

acb111bf1b9ae28d16b88ca7c04f35474fa5e7c6
SHA256

faef9b88fda0ff84c05450e4a1f2c4fb8fd4750f00bc2e719af250c291de66c7
SHA512

a1c3d4b2edf08f18cdc90d3d17ba0f975df65a7fa9721e562d1ba309e8509699a0e99ab48d22fe7d12ff5b4e261a408f0c108dfa77f8481a99713398af1ef980
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNuj2GQi8b/xv4TSe2r8:V6a+pOtEvwDpjtzm

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023223-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023223-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3408	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 3408	968	2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe	86
PID 968 wrote to memory of 3408	968	2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe	86
PID 968 wrote to memory of 3408	968	2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_c151f954b50893422b804422f279c0a8_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
101KB

MD5
302e90eb36b844241b9334d55b8c2f09

SHA1
27c3f3c5913ddbcea6aae89b2002b88689aef41d

SHA256
9ef2a819eb65c83401261be5e60fa2ee681c935e1d45d6ad0b472945cb83cb01

SHA512
9fb2f60e64751e2a39420172d51fea0c0ed0f7744df5e978587856fa1ff14be6cf29bba09d710057fe5eb9003d5498ca9e0fa992286629e359f05382d7cff73e

Download Submit
memory/968-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/968-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/968-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3408-17-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/3408-19-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download