adeb9f4db99e6325af58b1d2792c0e21f451ab930b0a666145b3cd2e85f0da2a

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe
Size

125KB
MD5

74a8e2b449e3b4c0021d16e4a0bc5898
SHA1

ccd956b28d56110c468b6d3598cdc7619767b88c
SHA256

adeb9f4db99e6325af58b1d2792c0e21f451ab930b0a666145b3cd2e85f0da2a
SHA512

65e151aeec81e2f79831071fe9f614493178b08379232eb45c88092b21aeee0c7cd5e952cb0089412c1c963f5d675d097d391b93f27cad0482b3dc4852015b17
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1eD:AnBdOOtEvwDpj6z5

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x0007000000023127-13.dat	CryptoLocker_rule2
behavioral2/memory/3448-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3244-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x0007000000023127-13.dat	CryptoLocker_set1
behavioral2/memory/3448-17-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3244-26-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000500000-0x000000000050F000-memory.dmp	UPX
behavioral2/files/0x0007000000023127-13.dat	UPX
behavioral2/memory/3448-17-0x0000000000500000-0x000000000050F000-memory.dmp	UPX
behavioral2/memory/3244-26-0x0000000000500000-0x000000000050F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3244	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/files/0x0007000000023127-13.dat	upx
behavioral2/memory/3448-17-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral2/memory/3244-26-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3244	3448	2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe	83
PID 3448 wrote to memory of 3244	3448	2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe	83
PID 3448 wrote to memory of 3244	3448	2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_74a8e2b449e3b4c0021d16e4a0bc5898_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
125KB

MD5
981602ebb71822cf9ba3013a018efda2

SHA1
280880bfa72a60b911dada1a823d09dfc1b419e1

SHA256
7f4b4e187727747c92db42451097a56bcc6d0716010cdee8c8150bcb58209644

SHA512
83916e02797f9e10f1d35357562ff8dd59564a5e860d54154e2c375851061202d3bc4a705034ab57d67fe1208463e193f48be09326f6f8b5271ac2fb5a7afa86

Download Submit
memory/3244-19-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download
memory/3244-20-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/3244-26-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3448-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3448-1-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3448-2-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/3448-3-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/3448-17-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download