19dae53fb9fb9e008da14456d4a43c663fbe987d1ddb1b2c30560052662fafad

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe
Size

64KB
MD5

acff86b7aa7438b249ed9c135803ac07
SHA1

45ca424254f94b0ab2b10d599fb2555c7ed4eed6
SHA256

19dae53fb9fb9e008da14456d4a43c663fbe987d1ddb1b2c30560052662fafad
SHA512

0bc37c9c8dd32a3e6c3c2c1deb363f8e7bb9f772d45983a050c8cbb9a2488fadaf7ff96763e8c43afe81e5759ed4e4d297b93d5b5ad1628ecd6807e7a13a1d23
SSDEEP

1536:X6QFElP6n+gJQMOtEvwDpjBccD2RuoNmuBLZ/xblzoc:X6a+SOtEvwDpjBrO1

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000001e97e-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000001e97e-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4028	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4028	4372	2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe	90
PID 4372 wrote to memory of 4028	4372	2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe	90
PID 4372 wrote to memory of 4028	4372	2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_acff86b7aa7438b249ed9c135803ac07_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
64KB

MD5
a16bbb80f9c531aa90ec52c187a67f76

SHA1
2d73b1c4a2f3d626760214c674da26d01a1f822c

SHA256
83b164904ac4707c222157bb3b96f81ce4cb5fc45fec4a01f0e91e5e3093da4c

SHA512
3d0b8f31978b4270484ff98a65d9a6190306632bbb856de0093b9a4aca4386753a24270b03ad4c99ece6cd444bfd5b2eb42ea70c0b9b2bd571dcde0687e9d2c1

Download Submit
memory/4028-17-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/4028-18-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4372-0-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4372-1-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/4372-2-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download