Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe
-
Size
47KB
-
MD5
7630d6a0ad4bf3beb37a175263244846
-
SHA1
c40771cf9ba23e4e08c249c486f451f2757f1807
-
SHA256
b407bd1de69a44b818d03912de65d5c02e9f209340de724ffd1ab433108c54f0
-
SHA512
3c199c27c6de2a1be046bbd2c0d695b780b04d41bab6d0901a3a17293c2fd8d209d4ce00a1289d97c154f06d32555f5a9c71448534a44bfc5c0c5df537e6a06e
-
SSDEEP
768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLaHaMMm2X30E3aI:V6QFElP6n+gMQMOtEvwDpjyaHaXmI
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 3532 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exedescription pid process target process PID 1704 wrote to memory of 3532 1704 2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe asih.exe PID 1704 wrote to memory of 3532 1704 2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe asih.exe PID 1704 wrote to memory of 3532 1704 2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_7630d6a0ad4bf3beb37a175263244846_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:3532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5c9f5bc1cf68a1b055481b9a2f23970de
SHA106a900b88b3b5a0f0330da936edf7800125a9f62
SHA256062a2d144fd13665813bf4cf3fa9c9d5d2d9ceffed6a488d93ac9675b24f42b3
SHA5126af9521f0bb1df33d87627955ad00fbf75afc5d6ca201941fca6ec41c97970b3d5d2bcfa2c228e4381732a506e568bf374fd84dc5abc04df44c3e752a54c14fa