4a37718ed1d5562998067917a085fd11e360c2026b141e12df963b878bc22a15

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe
Size

36KB
MD5

71e70005cc72e17e2c50c9f7937bc2d0
SHA1

6029d6ca2bf1dcf7401bd08568b9297bba43304b
SHA256

4a37718ed1d5562998067917a085fd11e360c2026b141e12df963b878bc22a15
SHA512

0103bdefc90ea3bcd5aa12433e1ae98fbd5f6c038116dd93220508f58822a9c7370905450f1f8e8d64fe01dfcf259f5bc5ecdc118c9f4849a760fbc94e27b373
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFCW:X6QFElP6n+gJQMOtEvwDpjBmzDUW

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023238-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023238-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83
PID 976 wrote to memory of 3924	976	2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_71e70005cc72e17e2c50c9f7937bc2d0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
36KB

MD5
3af533734b17ae1cc4e7b641a6aa6296

SHA1
d748204989d576c2580296ed291a726fa07d6702

SHA256
995860fa520c2cd039a7000e3016ae0b701e5e1ff2483a7294f85f26a54b9e1b

SHA512
8d014378e4bd46aebbbf0fa5bd783e683e5053390b679331c210bede59aaf314337455b154bfc2fd641dd0891df64e36e1be924c0cdcaea2444cd1afe85a172c

Download Submit
memory/976-0-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/976-1-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/976-2-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/3924-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3924-17-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download