63065f9fbf7b6b0432c352baebbdab3c9d22301b0037692ae5cb7865008005be

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe
Size

44KB
MD5

1cc3fca656b359df250af5eea3ddd0b0
SHA1

6340b059c8c7da69f764eb4cbbb8aad90f1f3c16
SHA256

63065f9fbf7b6b0432c352baebbdab3c9d22301b0037692ae5cb7865008005be
SHA512

07c068132d52ce649cbdef8da0d91c60dbc8aecc6a5dc7cb8c7c3c40cc807bafc9cf0daad20bc1958d136bde37b29a21b13d9566df01cfcfbd2bf11b5ab33053
SSDEEP

768:wHGGaSawqnwjRQ6ESlmFOsPoOdQtOOtEvwDpjm6j4AYsqSh+DETkedmhqFkvv:YGzl5wjRQBBOsP1QMOtEvwDpjl39+D+C

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral2/memory/1304-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral2/files/0x000300000001e9b1-13.dat	CryptoLocker_rule2
behavioral2/memory/1304-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2
behavioral2/memory/4624-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral2/memory/1304-0-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral2/files/0x000300000001e9b1-13.dat	CryptoLocker_set1
behavioral2/memory/1304-18-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1
behavioral2/memory/4624-17-0x0000000000500000-0x000000000050B000-memory.dmp	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 4624	1304	2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe	86
PID 1304 wrote to memory of 4624	1304	2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe	86
PID 1304 wrote to memory of 4624	1304	2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_1cc3fca656b359df250af5eea3ddd0b0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
44KB

MD5
fd9166b7c788ced4315effc1ebb30c14

SHA1
eeb4344906c8459fdbceb49953428bbc980a83b2

SHA256
e583aea257c7b25ee3620407e2b53ba043717ad01cf4b6399855b02a01736773

SHA512
56df2b0f8c7bd6f1ff6cdcdd9e5b26b33797b055f62c16f1b9f15d7c29d2c223797639c941027e1935826420de8093f39d15f897b81474ffd7c9bb6cdd31ad57

Download Submit
memory/1304-0-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/1304-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1304-2-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1304-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1304-18-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/4624-17-0x0000000000500000-0x000000000050B000-memory.dmp

Filesize
44KB

Download
memory/4624-20-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/4624-23-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download