Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 14:28

General

  • Target

    2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe

  • Size

    89KB

  • MD5

    1d69347b6ccd8b34b052c4c3ace5773e

  • SHA1

    157813423ed3a2344cd4153dcd324498029cc32f

  • SHA256

    51e22185ac065dcb9ff3d1a2b50baae5c4d4157215690774e2574c52ebe56cf5

  • SHA512

    29b820e65e9d39110f47ff9fb04fba7eb8db0ca39d4cdeb3927d020dec7d308b3ee7cba5925860ef3b38b6acde013bf6d2a9a44fcca636be5fc582a312417b68

  • SSDEEP

    1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwMgddB:AnBdOOtEvwDpj6z1

Score
9/10
upx

Malware Config

Signatures

  • Detection of CryptoLocker Variants 4 IoCs
  • Detection of Cryptolocker Samples 4 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-16_1d69347b6ccd8b34b052c4c3ace5773e_cryptolocker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\asih.exe
      "C:\Users\Admin\AppData\Local\Temp\asih.exe"
      2⤵
      • Executes dropped EXE
      PID:1812
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1808

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\asih.exe

            Filesize

            89KB

            MD5

            7ad1c038f39223058c983c49b77967de

            SHA1

            1ad1e28a23dfd66a69a34ec6e05388f2e80d4588

            SHA256

            7355128158546f41a9fdca28115f097e3c7a697b4006cf6448f8346e2a587174

            SHA512

            7db415f0ae88d0ecefba74dbcdb24e9b877e9b9c8d86048560f383d150824d22cfc051dac9949fd9a851d567b3e22cfd8b351b232cbd38240f883189881de5dc

          • memory/1812-18-0x00000000004F0000-0x00000000004F6000-memory.dmp

            Filesize

            24KB

          • memory/1812-20-0x00000000004D0000-0x00000000004D6000-memory.dmp

            Filesize

            24KB

          • memory/1812-26-0x0000000000500000-0x000000000050F000-memory.dmp

            Filesize

            60KB

          • memory/2104-0-0x0000000000500000-0x000000000050F000-memory.dmp

            Filesize

            60KB

          • memory/2104-1-0x00000000021E0000-0x00000000021E6000-memory.dmp

            Filesize

            24KB

          • memory/2104-2-0x00000000021E0000-0x00000000021E6000-memory.dmp

            Filesize

            24KB

          • memory/2104-3-0x0000000002100000-0x0000000002106000-memory.dmp

            Filesize

            24KB

          • memory/2104-23-0x0000000000500000-0x000000000050F000-memory.dmp

            Filesize

            60KB