37575dffb811232e9cbad949dff96a601f1e191e1f6c40f563ef4a741aca6103

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe
Size

85KB
MD5

d4037b18f337c126657185b132f63680
SHA1

8b06f35aced3557091dde141b5d1d9e6419581e0
SHA256

37575dffb811232e9cbad949dff96a601f1e191e1f6c40f563ef4a741aca6103
SHA512

9cfa5dfa8e79b79480a86251ba482eefd1817d2412b111f93239240600b64d4f53aaa91cb372c1744769b116725b984100f158711345cedcd87f998670738ab6
SSDEEP

1536:V6QFElP6n+gMQMOtEvwDpjyaLccVNl6aO:V6a+pOtEvwDpjvpi

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b9c-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b9c-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	asih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2200	1868	2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe	84
PID 1868 wrote to memory of 2200	1868	2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe	84
PID 1868 wrote to memory of 2200	1868	2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d4037b18f337c126657185b132f63680_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
85KB

MD5
6c9127c0f34b10f7b14a67f72b49bef0

SHA1
5c4fe5e5ddf7536ca24f1fcf802b83e76429a9b6

SHA256
7f16a2011e5a44041a3b01469a4f9edb950f4ba3dcb1c857e2437a342b896789

SHA512
497301bb725cb15c6445e727360fe02d22c5f31eb9eeebb569961f2805b64f688a5d6eeb67284291f57709a829de280cbe753b392cdc527c889014d752428e66

Download Submit
memory/1868-0-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1868-1-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/1868-7-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/2200-17-0x0000000002100000-0x0000000002106000-memory.dmp

Filesize
24KB

Download
memory/2200-23-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download