a439d15b2ce6134067da381b40f00884e0b9db9eae1158cd06e0c83d41af6325

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe
Size

74KB
MD5

d7a2d591b2f55c3fe5cf7d95ddbc6af8
SHA1

bb2484a3b65651a8fab713dd62a01cbfa9609ad3
SHA256

a439d15b2ce6134067da381b40f00884e0b9db9eae1158cd06e0c83d41af6325
SHA512

0decc9c5ffcfc236b1828a822db412f40aea73571b625148849bf7f79cb607f9c1a7ad99dcc40a49829015f6237d05c9249bea31503c45f17f1e820578ac3b18
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBZYTjipvF2bx1Rl:X6a+SOtEvwDpjBZYvQd2D

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023213-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023213-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
648	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 648	4116	2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe	88
PID 4116 wrote to memory of 648	4116	2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe	88
PID 4116 wrote to memory of 648	4116	2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_d7a2d591b2f55c3fe5cf7d95ddbc6af8_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
75KB

MD5
510f0018bd44f25274d6b69db94c2272

SHA1
27142667218c147db562fa8bade5296d18b6c941

SHA256
d43864c9b41e311ed297230224822552c555d0f3bee62a72f4bbc0cb9b12bbe7

SHA512
a894394e1ad463539636f8640a0fbc170dd806f7b4a11dc05da44423fb0cc9bd329de806f3a1394265c95f6a16230d56817d45d5bf5d0351a63d0fd284514431

Download Submit
memory/648-17-0x0000000002080000-0x0000000002086000-memory.dmp

Filesize
24KB

Download
memory/648-19-0x0000000001F50000-0x0000000001F56000-memory.dmp

Filesize
24KB

Download
memory/4116-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4116-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4116-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download