60c469826576526a16cda90253a4dbf3cca1fff5e8aa8bf8e972a71438b85155

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe
Size

63KB
MD5

9167592e4f289bdce8c6abb44470ffaa
SHA1

fdbbb20de8faf8c4a55b8bcd749e8982fe882455
SHA256

60c469826576526a16cda90253a4dbf3cca1fff5e8aa8bf8e972a71438b85155
SHA512

76601177402395c8902bff9a42d8dbda06b75d97595a7563a96d7aedfb015f9a61b747e84539324e4664a2092db27246b9e74466e23b9fecfc444b6c70ab0d77
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVCbmhkA:V6a+pOtEvwDpjvR

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e9a0-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e9a0-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 2820	3148	2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe	88
PID 3148 wrote to memory of 2820	3148	2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe	88
PID 3148 wrote to memory of 2820	3148	2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_9167592e4f289bdce8c6abb44470ffaa_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
29adc6b87310c5c96648e81354b37c0e

SHA1
48cebe07347c260176558fef81feceba7dc3ca8e

SHA256
f6d6687a58278abd7cedc3c449f2ba1fdff2e9706679a00cb96c27c9161c958e

SHA512
af32c0e9d2196bd547a3ca2b9c102aa713713f1b3c15b4604ca48fb7b8251f3aaa54f97d000617b850f636df1bc18f26c1645bfe44ad1f9c8f5d6ba8f6dc4f5b

Download Submit
memory/2820-17-0x00000000020F0000-0x00000000020F6000-memory.dmp

Filesize
24KB

Download
memory/2820-19-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/3148-0-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/3148-1-0x0000000002050000-0x0000000002056000-memory.dmp

Filesize
24KB

Download
memory/3148-2-0x0000000002070000-0x0000000002076000-memory.dmp

Filesize
24KB

Download