b61de6f08ca1212f20f15b7f8bb7392550b19e0fce6a6e655ef01ffcc43c27ec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe
Size

49KB
MD5

db3d7ad886afff8f9f7c51f05ec115df
SHA1

3e3c8eaaa816a16f2773c829dfd1ef2400fc1000
SHA256

b61de6f08ca1212f20f15b7f8bb7392550b19e0fce6a6e655ef01ffcc43c27ec
SHA512

5e067c08e6edbe5f0f34f02535a2fb10d1c9274df7d578f6d93fbacaebb8bccd7e4ccd6f5d9b3f8f41ec721be39553082015780a118f0b042c0bdc8d465a9cc3
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaaEqbIu55id3AMWZfDr:X6QFElP6n+gJQMOtEvwDpjB0GIWiWLlr

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023239-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023239-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
1236	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1236	4196	2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe	88
PID 4196 wrote to memory of 1236	4196	2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe	88
PID 4196 wrote to memory of 1236	4196	2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_db3d7ad886afff8f9f7c51f05ec115df_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
49KB

MD5
9b2c66a3eb9a404ebe648cd7805123df

SHA1
d6061bf9a00c6239459886a8ed5ffe406226cfab

SHA256
9ef0fe458e124a27f39a44984e27f98d2ed352424882ae727d28af4d498c671b

SHA512
0ed897ad1c7adaff3ed628ec58dabcf70430156609331814a81fe5263699b5ba7ebc0e273fdd38ae4e7fd3e79cb2cf1c4aa7308f80babddb34b9d5c038adb52a

Download Submit
memory/1236-17-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/1236-19-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4196-0-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/4196-1-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/4196-2-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download