c0c9ea2c8d4b55f0a7b7218d8b17f81b265f512b565289d67632b5c5833d7a2f

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe
Size

38KB
MD5

1574091790541a420d0e3162b491d5d1
SHA1

f811196faf3791de5ff5e619080bcb50c9085129
SHA256

c0c9ea2c8d4b55f0a7b7218d8b17f81b265f512b565289d67632b5c5833d7a2f
SHA512

0f94551ad56f804969fed3442af3c3866d51fc2012c030362c38360e6e6820263d484badc35ceeaca8a7c1294cf8a7e6b7530be9168007121518f8e3f77234c0
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HKcf7M:X6QFElP6n+gJQMOtEvwDpjBsYK6o

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e5ae-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e5ae-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3980	2528	2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe	89
PID 2528 wrote to memory of 3980	2528	2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe	89
PID 2528 wrote to memory of 3980	2528	2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_1574091790541a420d0e3162b491d5d1_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
39KB

MD5
040600ec9ace80cfad11b7e38eeb3eb8

SHA1
1fb5e0637e679a7586e9cb8f6f9528c003c40962

SHA256
f8f0ded04398c581a8c09aa904b92afa0f3d4b4f5ad9c51cf886c628cfc8d5b6

SHA512
5c7c51192ce14a32d824e967267af5c6a5525881cc5bb7497645671107d90cd6e589ebbbc9cb401fab0cb2d139e7a2f6122e8d2c34e37071e83278fd7ecf7305

Download Submit
memory/2528-0-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/2528-1-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/2528-2-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/3980-17-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/3980-23-0x00000000020D0000-0x00000000020D6000-memory.dmp

Filesize
24KB

Download