d842f72f58f97ed48034e1e7e26eecb15b1751e961df2221fc160d786f8e9a8d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe
Size

73KB
MD5

3008af2db87440e03f2ead4c69547c55
SHA1

930cffac1a44008c02f64c26c8ab8198dd8f89f1
SHA256

d842f72f58f97ed48034e1e7e26eecb15b1751e961df2221fc160d786f8e9a8d
SHA512

817c65b4bee01909099b2ec0391bad53cd0984957a551b8e2b67beabde6d4cb778a1e9ad166b4bde591368c8c87750c01d4ad1a39fdd77392a32b550a44aa203
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1sy:X6a+SOtEvwDpjBZYvQd2N

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023207-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023207-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4924	2876	2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe	89
PID 2876 wrote to memory of 4924	2876	2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe	89
PID 2876 wrote to memory of 4924	2876	2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_3008af2db87440e03f2ead4c69547c55_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
73KB

MD5
d9379cfc8f793e46be002962f5c7d94d

SHA1
37c2e6c4d648a32819a85313765d868a7bf00ca3

SHA256
6712bb66cab021beab9342c7d1b5b292503f8ae66f48d993fa7348175f2c98ff

SHA512
9d7fc8b00b474b3f118e120ae8d93d787c8246f6a7ba5363917fe662849ff8b537e88855d18daf1e739a4877a6fc358960a9eb79201e450ba8da029784df2849

Download Submit
memory/2876-0-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/2876-1-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/2876-2-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/4924-17-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/4924-21-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download