Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 14:28
Behavioral task
behavioral1
Sample
2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe
-
Size
89KB
-
MD5
1d69347b6ccd8b34b052c4c3ace5773e
-
SHA1
157813423ed3a2344cd4153dcd324498029cc32f
-
SHA256
51e22185ac065dcb9ff3d1a2b50baae5c4d4157215690774e2574c52ebe56cf5
-
SHA512
29b820e65e9d39110f47ff9fb04fba7eb8db0ca39d4cdeb3927d020dec7d308b3ee7cba5925860ef3b38b6acde013bf6d2a9a44fcca636be5fc582a312417b68
-
SSDEEP
1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwMgddB:AnBdOOtEvwDpj6z1
Malware Config
Signatures
-
Detection of CryptoLocker Variants 4 IoCs
resource yara_rule behavioral2/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/files/0x000f000000023249-13.dat CryptoLocker_rule2 behavioral2/memory/2104-23-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 behavioral2/memory/1812-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_rule2 -
Detection of Cryptolocker Samples 4 IoCs
resource yara_rule behavioral2/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/files/0x000f000000023249-13.dat CryptoLocker_set1 behavioral2/memory/2104-23-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 behavioral2/memory/1812-26-0x0000000000500000-0x000000000050F000-memory.dmp CryptoLocker_set1 -
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral2/files/0x000f000000023249-13.dat UPX behavioral2/memory/2104-23-0x0000000000500000-0x000000000050F000-memory.dmp UPX behavioral2/memory/1812-26-0x0000000000500000-0x000000000050F000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe -
Executes dropped EXE 1 IoCs
pid Process 1812 asih.exe -
resource yara_rule behavioral2/memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/files/0x000f000000023249-13.dat upx behavioral2/memory/2104-23-0x0000000000500000-0x000000000050F000-memory.dmp upx behavioral2/memory/1812-26-0x0000000000500000-0x000000000050F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1812 2104 2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe 90 PID 2104 wrote to memory of 1812 2104 2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe 90 PID 2104 wrote to memory of 1812 2104 2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:1808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD57ad1c038f39223058c983c49b77967de
SHA11ad1e28a23dfd66a69a34ec6e05388f2e80d4588
SHA2567355128158546f41a9fdca28115f097e3c7a697b4006cf6448f8346e2a587174
SHA5127db415f0ae88d0ecefba74dbcdb24e9b877e9b9c8d86048560f383d150824d22cfc051dac9949fd9a851d567b3e22cfd8b351b232cbd38240f883189881de5dc