df512c003b4cbf2355eb4ff41e64ee1684bd6c524c77f1a462c3018f856d516b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe
Size

66KB
MD5

53040eae1e7f76d86dd0de04c7d7ab08
SHA1

6eb183d35da6276dfec26b641bedcd9aed99e0a1
SHA256

df512c003b4cbf2355eb4ff41e64ee1684bd6c524c77f1a462c3018f856d516b
SHA512

1fbe0f7d55327690c17ac2cf880985d735fc5bb22326657fa625068a35aa6b7c95c154998f795bfe75fb66412b0be1017c2aead240bc6aac9dddef5c2054fcdf
SSDEEP

1536:z6QFElP6n+gKmddpMOtEvwDpj9aYaFAeBo:z6a+CdOOtEvwDpjQm

Score

9^/10

upx

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral2/memory/2988-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000700000002321c-13.dat	CryptoLocker_rule2
behavioral2/memory/2988-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4172-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/2988-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000700000002321c-13.dat	CryptoLocker_set1
behavioral2/memory/2988-17-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4172-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/2988-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x000700000002321c-13.dat	UPX
behavioral2/memory/2988-17-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/4172-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4172	asih.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2988-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000700000002321c-13.dat	upx
behavioral2/memory/2988-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4172-26-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4172	2988	2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe	84
PID 2988 wrote to memory of 4172	2988	2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe	84
PID 2988 wrote to memory of 4172	2988	2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_53040eae1e7f76d86dd0de04c7d7ab08_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
66KB

MD5
a37cccc9897193280710b2f698ba92b4

SHA1
10a8257c8e54b67d9128cdb0b2c9253a66ebbccd

SHA256
80bc507dc4ecf11d959d2b62e112600173cf44058690da0e5870e9a42d3f6ac9

SHA512
f7887c83b92f37bbba132e1676fd10b6420fc8381ad95d244d1bde94db2281696e078a18d5630d3e5f662b32f73627c87abd07595473ab39fd1f0c5513b1a0f2

Download Submit
memory/2988-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2988-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2988-2-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2988-3-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/2988-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4172-19-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/4172-23-0x0000000000560000-0x0000000000566000-memory.dmp

Filesize
24KB

Download
memory/4172-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download