f90b4bf6fd99960d7e5becc234c6bcfc813dbba8e8e7fd49232269982bf56923

General

Target

2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
Size

5.5MB
MD5

97512fd53f2b734fdbee327d6cdff297
SHA1

efd56c8a61bb14fa0358cdc6e2c13eeea9fc9677
SHA256

f90b4bf6fd99960d7e5becc234c6bcfc813dbba8e8e7fd49232269982bf56923
SHA512

9c729d8ee67b56744348f4e729d88d3b072107e4c3ec381442ed4d3ff0b6621e2835c2ae88a2b061f49a745f5b4bf9b2fd03190ae2e1c9f2d9690e274b4aa236
SSDEEP

98304:B2TI98GkoP+kfhZ5Tgm7jdwg+Zl3dKxikhFmg+47eggcgiP05h2VC:OI1PvfhfhOZzkzmg+8egrghz

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 11 IoCs

resource	yara_rule
behavioral2/memory/2532-0-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/2532-2-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/2532-4-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000c0000000226fd-17.dat	CryptoLocker_rule2
behavioral2/files/0x000c0000000226fd-20.dat	CryptoLocker_rule2
behavioral2/files/0x000c0000000226fd-19.dat	CryptoLocker_rule2
behavioral2/memory/3724-22-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/2532-21-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3724-24-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3724-25-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3724-34-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 6 IoCs

resource	yara_rule
behavioral2/memory/2532-2-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral2/memory/2532-4-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral2/memory/2532-21-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3724-24-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3724-25-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3724-34-0x0000000000500000-0x0000000000D8A000-memory.dmp	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
3724	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2532	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
2532	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
3724	asih.exe
3724	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3724	2532	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	91
PID 2532 wrote to memory of 3724	2532	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	91
PID 2532 wrote to memory of 3724	2532	2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_97512fd53f2b734fdbee327d6cdff297_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
784KB

MD5
b14c609a0ed56250b0a9b17cfd95dc45

SHA1
e7fd6bfff3173f1e69c442c495bf8c997c72bef2

SHA256
820a4ebf5fd565373335fca34821a198fdebef37a27adf511ae2b7df806d0fc3

SHA512
b8903811b67669f2c7ee9e40197ef262ff66114ea3ba0a938f8e3604fdeb5b7c5d72f6fba97c76c6cb3b9ac0d7683f54a5d821d304a986fb3efa199bfc001fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
683KB

MD5
7fdf8e737339a2a346616d06a13004cf

SHA1
888ad9cc18cc806d371a34aedb8abbb2fedb033a

SHA256
af47cf493a4e363915dd9be076ec79b40c543c408e81ed05afe337945a442c1a

SHA512
526c2e437f133fe0ecb568637e10bdc2d22d72cf5a5587e26c2ba7889116db7f4c773d492a0a301e0e0b179d6a56f65647417718f94ced984abda53741c9d404

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
469KB

MD5
b18e299a725db4d8ae2ef66cb7fad283

SHA1
27892ad77225e5287a48f671e01e5f6131e972f4

SHA256
726b8421ced27ef772b5abbc27564da0cb55e55a77197d8c7f63ae4ea8562886

SHA512
ebb4c03a85bb0e0ca88d03e66f882cec1fde8ab6bd733ac10e3c9c02d731bc1f3c052a13b3a517d6e673f49f24634a922576aa1dd5e8b52f524e2bc37728960f

Download Submit
memory/2532-5-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/2532-21-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/2532-6-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/2532-7-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/2532-4-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/2532-2-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/2532-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2532-0-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3724-22-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3724-23-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3724-24-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3724-25-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download
memory/3724-29-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/3724-27-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3724-34-0x0000000000500000-0x0000000000D8A000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing