17a9221bbd805041adc2ba1e168ef15c75e135e6d3f051e98d2c1a4df61a9830

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 07:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe
Size

46KB
MD5

7f859b3c7d1f7e0d5ee350ca06d00e2d
SHA1

4d5fc8c96c013beddc4c3acb36a63aaca9f2f4bb
SHA256

17a9221bbd805041adc2ba1e168ef15c75e135e6d3f051e98d2c1a4df61a9830
SHA512

d65d7d237f4dc2c72e1862b789ee6840db088af85aa36885385dec783df7d7cabcc715b91a4e161c1c8ff304824a60c7ba09b0f84ea21f198826232e018ed335
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaaEqbIu55SSOzA:X6QFElP6n+gJQMOtEvwDpjB0GIWStzA

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023150-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023150-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4952	2628	2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe	85
PID 2628 wrote to memory of 4952	2628	2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe	85
PID 2628 wrote to memory of 4952	2628	2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_7f859b3c7d1f7e0d5ee350ca06d00e2d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
47KB

MD5
1888fab6a1017e11433f82c63ff7219e

SHA1
8a6afb8d7579405a223e99b9815d249fc422635b

SHA256
e65921b2ca59c2e5e66d55dd8d19077aa31c0561494e29a6827eeec931d4e129

SHA512
53fdbad1ebe9c24a6a7f50e50dc763f8d2e7d160575b1cd8acc2994c2a9b7594abfc276a2c1cb7f9f02100de8b1fdbb12c868db39886226cce344c3425ba277f

Download Submit
memory/2628-0-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2628-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/2628-2-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/4952-17-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/4952-21-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download