57566c2c997ec79a0ec58aee80f49deb906dabe371647f13d3f27ce53d444f9f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe
Size

50KB
MD5

a9b2d70db2be16976572ad5f8a7cc1b3
SHA1

73cccb26453e1057d99ed4447d480a0ac685fb41
SHA256

57566c2c997ec79a0ec58aee80f49deb906dabe371647f13d3f27ce53d444f9f
SHA512

8b6823a1efe1be05bde098e9491689e2427beb1fe6ac0d53e9ca3baf30c2141fbe6a2b308d6a7fea95b5b94e0d1e7c5bc0695fdec9d80784f488041b14ebf7b0
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vbEdR:X6QFElP6n+gJBMOtEvwDpjBtEC

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002313b-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002313b-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4120	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4120	3084	2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe	86
PID 3084 wrote to memory of 4120	3084	2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe	86
PID 3084 wrote to memory of 4120	3084	2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_a9b2d70db2be16976572ad5f8a7cc1b3_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
51KB

MD5
0947cbc5dc5027a67b70698a55e4edc9

SHA1
470f2704320ca20de257209c078d622f98534348

SHA256
2d4be869a96430984709ba8f4ff541e048b3616e05ed6c507b593afb5ae13001

SHA512
6d2cf5242f64a0d088badd7f4fa7817722e38c1d9c6f35da8470a66e8d367c93c928896ba56122eee755a225bd7e4a9b92bce6db2d42eb2545fd1a744d8b416a

Download Submit
memory/3084-0-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/3084-1-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/3084-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/4120-17-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/4120-20-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download