9523f7c5c88f1915657368769e8ac97d3de02c4dbbdf4e092b58f8b9ff9d0114

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe
Size

61KB
MD5

e36e529f336fd4032d61a6bd4fc3c752
SHA1

da180b979b068bbde6e43e9ff8eb8ab517ba0ad1
SHA256

9523f7c5c88f1915657368769e8ac97d3de02c4dbbdf4e092b58f8b9ff9d0114
SHA512

3a4e3741f51ab55f3dbe4471cb096d09b875fbf6c65ab21f0ffad06d78fc66c8fa84c8b2dd1c8bbd6a46919321bc027278b452d090e222a3b3ccc8b5288fec0c
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBccD2RuoNmuBLZ/xEL:X6a+SOtEvwDpjBrO6

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e5eb-11.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e5eb-11.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1636	372	2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe	88
PID 372 wrote to memory of 1636	372	2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe	88
PID 372 wrote to memory of 1636	372	2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_e36e529f336fd4032d61a6bd4fc3c752_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
62KB

MD5
b91b073152579b55953c1e160a3143d2

SHA1
a02df15f29bea0a1afb2f68f6aa1c7762d67e5df

SHA256
0db27149d8f2105033a02632cebed78268901f8538df97b66e0440f6265c6a0b

SHA512
3df37da55ff8c79c449482c1fde96124098da6d5ddad7fd1ed2eb7b1584309ceffafb28fd93a74fae2992a70350e63d50964feed9231ce0856740c71aa89886e

Download Submit
memory/372-0-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/372-1-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/372-2-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/1636-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1636-17-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download