fa99f1e0f697f3320a1d19ff4b0980a356ce1e668a1f8d5bd6b5c0b183caf9a8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe
Size

128KB
MD5

5c3a5f262e6caef7bf31237896e7c911
SHA1

6ce5bb87807113178a7ae0858227d1c7e7b6a0db
SHA256

fa99f1e0f697f3320a1d19ff4b0980a356ce1e668a1f8d5bd6b5c0b183caf9a8
SHA512

5739f15c964ef288706f848b35b2da306064f71f3aaed19c27a24c78b6c944277ad96d08ba7431bba8ba6b1035a4d7d055a6e505d0730f1656497b22fa2da8fa
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjQGYQbN/PKwNgp699GNtL1eI:V6a+pOtEvwDpjtz+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320a-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320a-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4764	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4764	1972	2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe	89
PID 1972 wrote to memory of 4764	1972	2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe	89
PID 1972 wrote to memory of 4764	1972	2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_5c3a5f262e6caef7bf31237896e7c911_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
128KB

MD5
fe3040c8f3f1d8700205c622873953ee

SHA1
a84e4deb3f68d341243e95a008781f1d72954152

SHA256
4eff92572b0b7d14fc7c60e539f2ceaa33c906b602ade108dcb81c4affcc0772

SHA512
96fdf2a08816aaa8006a873a3d86f9343f60ce18d281b9f3e129d1b69f04e322b8df8b62ce6a6eb122db4396b736890b1af3c24dc785ac95d6d384a988d7e823

Download Submit
memory/1972-0-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1972-1-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1972-2-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/4764-17-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/4764-21-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download