b407bd1de69a44b818d03912de65d5c02e9f209340de724ffd1ab433108c54f0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe
Size

47KB
MD5

7630d6a0ad4bf3beb37a175263244846
SHA1

c40771cf9ba23e4e08c249c486f451f2757f1807
SHA256

b407bd1de69a44b818d03912de65d5c02e9f209340de724ffd1ab433108c54f0
SHA512

3c199c27c6de2a1be046bbd2c0d695b780b04d41bab6d0901a3a17293c2fd8d209d4ce00a1289d97c154f06d32555f5a9c71448534a44bfc5c0c5df537e6a06e
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLaHaMMm2X30E3aI:V6QFElP6n+gMQMOtEvwDpjyaHaXmI

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

3532 asih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3532	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe

description	pid	process	target process
PID 1704 wrote to memory of 3532	1704	2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe	asih.exe
PID 1704 wrote to memory of 3532	1704	2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe	asih.exe
PID 1704 wrote to memory of 3532	1704	2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
47KB

MD5
c9f5bc1cf68a1b055481b9a2f23970de

SHA1
06a900b88b3b5a0f0330da936edf7800125a9f62

SHA256
062a2d144fd13665813bf4cf3fa9c9d5d2d9ceffed6a488d93ac9675b24f42b3

SHA512
6af9521f0bb1df33d87627955ad00fbf75afc5d6ca201941fca6ec41c97970b3d5d2bcfa2c228e4381732a506e568bf374fd84dc5abc04df44c3e752a54c14fa

Download Submit
memory/1704-0-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1704-1-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/1704-2-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/3532-17-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3532-23-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download