ad9feeb9215b06b14e4d68d29eb37b2b0b5271d32d807908dfe395b1fe844f68

General

Target

2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe
Size

56KB
MD5

90e3d57c4e615e70211a70cae1260472
SHA1

31739156cb3d62202b0981c29cb262c153a0036c
SHA256

ad9feeb9215b06b14e4d68d29eb37b2b0b5271d32d807908dfe395b1fe844f68
SHA512

9d50758fecde8aa828d2af26e3ff1600df3fa2c7f310377d1021338302ee49dc4048a635d58f0d765a8699965a1caec038384bc6cba4228cf6aa8737dd1be81e
SSDEEP

768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YMLam5ap+LV:z6QFElP6n+gKmddpMOtEvwDpj9aYa0

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 6 IoCs

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x0007000000023039-13.dat	CryptoLocker_rule2
behavioral2/memory/3048-19-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4520-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x0007000000023039-15.dat	CryptoLocker_rule2
behavioral2/memory/4520-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x0007000000023039-13.dat	CryptoLocker_set1
behavioral2/memory/3048-19-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4520-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x0007000000023039-15.dat	CryptoLocker_set1
behavioral2/memory/4520-27-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x0007000000023039-13.dat	UPX
behavioral2/memory/3048-19-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/4520-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x0007000000023039-15.dat	UPX
behavioral2/memory/4520-27-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4520	asih.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0007000000023039-13.dat	upx
behavioral2/memory/3048-19-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4520-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0007000000023039-15.dat	upx
behavioral2/memory/4520-27-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4520	3048	2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe	18
PID 3048 wrote to memory of 4520	3048	2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe	18
PID 3048 wrote to memory of 4520	3048	2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe	18

C:\Users\Admin\AppData\Local\Temp\2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_90e3d57c4e615e70211a70cae1260472_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
57KB

MD5
9cf9b967d00e0e622334897337b2d9c9

SHA1
cbb5f5779b71ee1c69f68798e9617c4f30f2c6f0

SHA256
e4499db77f2998b98a8092da88e66479a3f01da2ac00cac86957c8f101f1d81e

SHA512
d0dd047c886b49597a13709af265bd7ffd66baf48a49171cf456023e725275458c4622cc8db4e6d1113e5714822ea1ac2a9c60828aaf2861b89a24d4dd8db9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
47KB

MD5
6dd93f5230995bc74a159d2285f334b8

SHA1
211bf60503deae77163f5a381525e8d6d0aca784

SHA256
570b8300525ca5e59cbca21d1367f55f06820f186401d42451987e8e91856856

SHA512
63e9d4ef79729d2d1989eb6e4b26357ae5496519579148c25f22f7d3236cbf774feec20b6cbcbe895f39a92b07d8ed051ec9d63a1f22bfa8b594822086ec6f2b

Download Submit
memory/3048-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3048-3-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/3048-2-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/3048-1-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/3048-19-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4520-20-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/4520-26-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/4520-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4520-27-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing