e7ba035b2e0035a05c5b51c3130d73be305c71865f734556e44781ac78661af5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe
Size

61KB
MD5

f12851a675097374574b19e17650712f
SHA1

31eddace3805aaccfb8802b6f61551c71d9c27aa
SHA256

e7ba035b2e0035a05c5b51c3130d73be305c71865f734556e44781ac78661af5
SHA512

54b0bed721d9bcd15d6cc713db5045a9b8442e8ef741355c42d2edb3437950d7c754d3af005a033101d06cea3fe9af54bfd1cf1cf29512a72b76e12017fd2a29
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVCbt5q:V6a+pOtEvwDpjvD

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233d2-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233d2-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4076	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4076	2028	2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe	87
PID 2028 wrote to memory of 4076	2028	2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe	87
PID 2028 wrote to memory of 4076	2028	2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_f12851a675097374574b19e17650712f_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
61KB

MD5
3f0a0fc6ed843ee4bde3f1ed7e6cacb0

SHA1
fa35f3c591bb7f71f0ace0be254eb458458bd9c7

SHA256
336d4c5cba92e1fe0d2a1a7a1cbb3cbde282b984bfb5c468fa92128d815a6293

SHA512
5d725f5489920ac27a17d59efc6f558be7fe374cffc13a6203530a705c91ce94c2f2ffb5be23f4a082d04dfc9b181d4f3a65735262e857e4364c3fa531bfd051

Download Submit
memory/2028-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2028-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2028-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4076-17-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/4076-19-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download