Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe
-
Size
42KB
-
MD5
1fdbddfc21d9aff1fd3b110abdb1a0bc
-
SHA1
8d895081f2ee9da51f8d090c3b2469be017c054d
-
SHA256
de48daa26ab9bef1f1f24fc4436f58d8d266462ef542bb718b577d5724f664fe
-
SHA512
b0456099efc30e6f8347adc829b15dabcaaa3f37c967e4eefb562e10d697304cd3577e54866ea2e607ab4aba1792d8f24ec249f586434dd7acdcf3158d0a2412
-
SSDEEP
768:X6LsoEEeegiZPvEhHSG+gp/QtOOtEvwDpjBVaD3TP7DFHuRcD9o:X6QFElP6n+gJQMOtEvwDpjBmzDkWD+
Malware Config
Signatures
-
Detection of CryptoLocker Variants 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_rule2 -
Detection of Cryptolocker Samples 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\asih.exe CryptoLocker_set1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe -
Executes dropped EXE 1 IoCs
Processes:
asih.exepid process 1796 asih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exedescription pid process target process PID 3872 wrote to memory of 1796 3872 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe PID 3872 wrote to memory of 1796 3872 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe PID 3872 wrote to memory of 1796 3872 2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe asih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1fdbddfc21d9aff1fd3b110abdb1a0bc_cryptolocker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asih.exe"C:\Users\Admin\AppData\Local\Temp\asih.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\asih.exeFilesize
42KB
MD5f1a367238a8936d47ba5842b075c9859
SHA17839a13579685beabcc6ef86a4e40363296bbe28
SHA256ad90a54109889f75db3629bf9e9375449cd9e9377f700f03d87a73e262580cf8
SHA51271f4eaa18cc482f0a864efa5e25e2c038622eeb8b88374c15197d82f4d9309f4277c777bb3004a08c7eb8b06a87a74160d54a53e55e86b520a5065a1564e74da
-
memory/1796-17-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/1796-23-0x00000000005A0000-0x00000000005A6000-memory.dmpFilesize
24KB
-
memory/3872-0-0x00000000021C0000-0x00000000021C6000-memory.dmpFilesize
24KB
-
memory/3872-1-0x00000000021C0000-0x00000000021C6000-memory.dmpFilesize
24KB
-
memory/3872-2-0x0000000002050000-0x0000000002056000-memory.dmpFilesize
24KB