Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe
-
Size
162KB
-
MD5
6ba8e7870941355f5bdf917f6e20a97b
-
SHA1
1936a986abf35ae0149ccd2614a71bfb3e7db54a
-
SHA256
cbf1de2898f5c3ff7a19a2f98f6e9ad63107b081f9cfe649529d3fdc3e26787f
-
SHA512
2a844c055e2327f6251c89e5b81b9bed20c79bf9b393145c518cf26f87846b42b33b9f7a88a5cfc8bcab49ba4e6f91c853ecb93f83791f2d4b45d35924348571
-
SSDEEP
1536:u6QFElP6n+gWMOtEvwDpjJGYQbN/PKwNgp699GNtL1emmbb:u6a++OtEvwDpj6zL
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023165-12.dat CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023165-12.dat CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1548 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1116 wrote to memory of 1548 1116 2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe 87 PID 1116 wrote to memory of 1548 1116 2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe 87 PID 1116 wrote to memory of 1548 1116 2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-29_6ba8e7870941355f5bdf917f6e20a97b_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD50263eca80bc704c506e4dfe341461b37
SHA1d1258bc66d1bdba28ef8103bc28e52ddfee6115b
SHA25601ce6ee065ab023a1a9b6bf050298fd2636cfe964b1e168b3c41e9189d23c39f
SHA51248d4faa349d60f95cc8bd55bece482d5edeb72edc96b5fb987cc258586d2248405a3d25ebe8e1fadccfa85a63f06a61bd18ee7dc8e7ce537414b6d0998f8fa1c