5b6422f07371ce4a4984d0ca63d528b4c75d73c80c3935a597311bf638511676

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe
Size

45KB
MD5

eca080b589b561df060ffbf1f4468321
SHA1

50bc3fd15ef5bda020b269756967d59fb08b288e
SHA256

5b6422f07371ce4a4984d0ca63d528b4c75d73c80c3935a597311bf638511676
SHA512

896aea9f8793bbaa54e2c3b4a6a24adbaf0140c8178f28ace45f2bbb41fc3f32c60d76d5b3ae90dcf11b70eeeaa9a3ea8ee94f9e29d4e258044ab2334b54348d
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpj/MLaHaMMm2X3rtLSvj:V6QFElP6n+gMQMOtEvwDpjyaHaXvOvj

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

3496 asih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3496	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe

description	pid	process	target process
PID 1536 wrote to memory of 3496	1536	2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe	asih.exe
PID 1536 wrote to memory of 3496	1536	2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe	asih.exe
PID 1536 wrote to memory of 3496	1536	2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_eca080b589b561df060ffbf1f4468321_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
45KB

MD5
3c90067652c65d5498348eb4c7470fdb

SHA1
4c7abea1cdd6757f7344b976f04867411ffee53d

SHA256
f240baa90d610dfe5c1cae83a04269013bc47d262a2e6255a66addd164988d47

SHA512
1cf2e847250d2758e76fecd25bf1e2496adc63a7346d110877d179a3550e652182eeb15d9333bdc6faa534100ff8e79e7ed7e967ea347ba24bb2e973fe5d5ab1

Download Submit
memory/1536-0-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/1536-1-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/1536-2-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/3496-17-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/3496-21-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download