d7bf4ab9d33b0bf92042c89ddfc52ab85f9298a8edfaba1640aa3c5a8e7b249e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe
Size

43KB
MD5

96f3ab8c3dc0a5e9494a435d431be9f2
SHA1

57bedeed3c74de5325835d3fc9a9640641f13d7c
SHA256

d7bf4ab9d33b0bf92042c89ddfc52ab85f9298a8edfaba1640aa3c5a8e7b249e
SHA512

19090495769795e82d46d892202913e01e9a8dc7907adbd3eba1e0b1efcfe06e0900d1f00c1e4e540db2223416c0e9a859789069b44dca80e569838bb7046923
SSDEEP

768:P6LsoEEeegiZPvEhHS5+Mh/QtOOtEvwDpjBpaD3TUogs/VXpAPN:P6QFElP6k+MRQMOtEvwDpjBQpVXs

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 5 IoCs

resource	yara_rule
behavioral2/memory/3404-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000400000001e980-13.dat	CryptoLocker_rule2
behavioral2/memory/2000-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/3404-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/2000-27-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 5 IoCs

resource	yara_rule
behavioral2/memory/3404-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000400000001e980-13.dat	CryptoLocker_set1
behavioral2/memory/2000-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral2/memory/3404-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral2/memory/2000-27-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2000	3404	2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe	88
PID 3404 wrote to memory of 2000	3404	2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe	88
PID 3404 wrote to memory of 2000	3404	2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_96f3ab8c3dc0a5e9494a435d431be9f2_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
43KB

MD5
e25d608c258f2848bac562710307de08

SHA1
8768dd45d6709332c3ce914ae6b4dc3b01ca3bbb

SHA256
2aeabbd182d788c40cbbe21043b63d74d30072f58635b35953bd555391bb2d28

SHA512
67a60135307fdf3ab11daf5a44fa2f248b4e59f47f95983b5d1064e1ea8edc4c61c3aa72cf363fd20c1ddc1277722a954d34c46b3d968736caea80be71d922a9

Download Submit
memory/2000-18-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/2000-21-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/2000-20-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2000-27-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/3404-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/3404-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3404-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3404-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/3404-17-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download