Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe
-
Size
83KB
-
MD5
0072c3edec7f9ae9a9a0aa6d4b161893
-
SHA1
2fe09ae2560cb791494578e3d503f4b8a30910fb
-
SHA256
843206764f865e22ea38f5caa7a9b391a6d6727060283927a8b4cedc973c6a0d
-
SHA512
02bf0570b65015216cc4cfd251d23ab96bc0e01b388bf38547d3264a33a544e1e61112475f1b67849ddf4bbdce48a107fb65febb177ea30c4b51cd1bd8797828
-
SSDEEP
1536:V6QFElP6n+gMQMOtEvwDpjyaLccVNlVSLQw:V6a+pOtEvwDpjvpe
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 356 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exedescription pid process target process PID 4324 wrote to memory of 356 4324 2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe asih.exe PID 4324 wrote to memory of 356 4324 2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe asih.exe PID 4324 wrote to memory of 356 4324 2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_0072c3edec7f9ae9a9a0aa6d4b161893_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD555889cca1a1f9cf0c12b419ed8a243f5
SHA151d80f62f76f7e0c420c865c384ae88909746db2
SHA25685064669099522ab1f5003fea23a5094e4a77bc3bff82c79950e522c7427b8ea
SHA512526d9940f02f656c681744b342bee61a92e9c5f9e9a5a1ac9e9a34d6ae2a8784dae0f7cdf5cfad6a748cc5a00c4a2f241782b6224b3d50e565d2aa5c981a59c7