42704ad035fe6dff8a206f405a808721c03db958826a6f53eb6c5586a05b19a7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe
Size

26KB
MD5

f8cf43880df5d28bb885af753c89bad7
SHA1

ed9eb69b9d842a2f3e929b637328a9932e1a0ba4
SHA256

42704ad035fe6dff8a206f405a808721c03db958826a6f53eb6c5586a05b19a7
SHA512

868ced39e01eb46b6697adf5dc9ec972eefdc899d1f1e01e5b21246dd5b6a9dfdc66918724a1d0b65f3472aeca58cdb4f75d3ada77765b336d4293870c61c328
SSDEEP

384:qxOZzyjOnqGAs+8ULueO4NdE8tOOtEvwDpjqIGRYK1sGGYkxlma:q0ZziOWwULueOSdE8tOOtEvwDpjeol

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000700000001e59e-13.dat	CryptoLocker_rule2
behavioral2/memory/4676-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4904-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4904-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 3 IoCs

resource	yara_rule
behavioral2/memory/4676-16-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4904-18-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4904-26-0x0000000000500000-0x0000000000510000-memory.dmp	CryptoLocker_set1

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral2/memory/4676-0-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/files/0x000700000001e59e-13.dat	UPX
behavioral2/memory/4676-16-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/4904-18-0x0000000000500000-0x0000000000510000-memory.dmp	UPX
behavioral2/memory/4904-26-0x0000000000500000-0x0000000000510000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4904	4676	2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe	87
PID 4676 wrote to memory of 4904	4676	2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe	87
PID 4676 wrote to memory of 4904	4676	2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_f8cf43880df5d28bb885af753c89bad7_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
26KB

MD5
a9b86b988ec28cb88f6d8eac5eb3a819

SHA1
eb0d99bb887aee1196dea1397647bc4f7162effd

SHA256
4e29ddea070ab7c0853b82d9544b535f8e6cd773e3ad392f83bc8ff9447a5bda

SHA512
57a20143cdf97bb223005ec0e7a8f0a2d317c963f671e286aca722b22c8933cfc3f56412c9c542bc4c3db1d71341229f4c27e9d33ce2c2af25ccdddac2d96a21

Download Submit
memory/4676-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4676-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4676-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/4676-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4676-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4904-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4904-26-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download