72666f9eb2fd3f68665fdf89c80793c662393d10e27eaa0929a89d459db325d6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe
Size

40KB
MD5

6f26e025c45ac5a7ced1651361a60ed0
SHA1

fc4a28fee2e5009c7a1cc1ae30c7a996392c9869
SHA256

72666f9eb2fd3f68665fdf89c80793c662393d10e27eaa0929a89d459db325d6
SHA512

6d891a19a3ae728e19fbcac412aa2cfca6c67d9f6f6c87e96b70083f6d9d48e3be6f6c50581ea7f7eeee0d31e09920734226423edfa0240f05f9871aaa47d258
SSDEEP

768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBaac4HK/wSvuQTCh:X6QFElP6n+gJQMOtEvwDpjBsYK/f+

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fe-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fe-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
5092	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 5092	2912	2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe	88
PID 2912 wrote to memory of 5092	2912	2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe	88
PID 2912 wrote to memory of 5092	2912	2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_6f26e025c45ac5a7ced1651361a60ed0_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
40KB

MD5
0dce631e02a71df7814e96d024bacf17

SHA1
f6bd87aa3abdefd88e312ff9a071ea34eb23c6f1

SHA256
44ddb2ce92b4dbca888336fa99f42ea7b21cc2f10bba98cc8bdd4efd125c333b

SHA512
be0cd5f8a32d11a0be6693c0b81d5b00c5832c4d687f6fe2f650c4db9b886a6c19e2dc82e85d434e654d63bd8bc5c90d48e3ffdd3954af5a1c95baf5effdd4bb

Download Submit
memory/2912-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2912-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2912-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/5092-17-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/5092-18-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download