27d8f96a1403a8034f7ed1b5ae98a1c6edbf5c0e52696a23dc2f254c7413bfaa

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe
Size

51KB
MD5

1a2f1f03d9a33a6e08777fc692bb13aa
SHA1

02dcf95b3326964a6f5c39967123f13b6412e260
SHA256

27d8f96a1403a8034f7ed1b5ae98a1c6edbf5c0e52696a23dc2f254c7413bfaa
SHA512

f730131c26cfcd3bcf0cd5fc6d74e90876ccfd0bfe15018764b023e89b392a83b64644f7e2588d841fadbafa7f130853617a829a55116708d274cf64a07241ba
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/BtOOtEvwDpjBVaD3E09vxmlcaR:X6QFElP6n+gJBMOtEvwDpjBtExmlp

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x001000000002313c-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x001000000002313c-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3576	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 3576	556	2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe	84
PID 556 wrote to memory of 3576	556	2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe	84
PID 556 wrote to memory of 3576	556	2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_1a2f1f03d9a33a6e08777fc692bb13aa_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
51KB

MD5
3c9db3c5f34a0cd5f6822987bb4f86f0

SHA1
316d3d9af80a4c973d17b8dd002299a9b4902525

SHA256
7a36e60d6cf4c891ef27c1933f4e4601c62139b037bdd3924c17de18713637bb

SHA512
455f2aa45536346a814acfba86464a2a9e0454fd7a1cb1accd52cbb265cdcac18cd1f0788d706428ae7fd4013e79009c776bc2026dbee6c12f1cb09d1b696c16

Download Submit
memory/556-0-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/556-1-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/556-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download
memory/3576-17-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/3576-19-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download